Mozilla security chief [Window Snyder] made some surprising announcements about Firefox Next, Mozilla’s next major browser overhaul. In her chat at the Black Hat security conference, she introduced three new initiatives that focused on threat modeling, training, and vulnerability metrics. For the threat modeling initiative, she’s hired Matasano Security consultants to review Firefox’s code for weaknesses and recommend mitigation tactics to protect the browser from hacker attacks. This isn’t inherently unusual; what is abnormal is that the information, once the work is done, will be revealed to the public. The training initiative will have IOActive trainers working with Mozilla engineers on secure computer programming practices. At the end, according to [Snyder], online versions of the classes will be released to the public, along with the class materials. The last initiative revolves around security metrics, and is already in progress. Essentially, the project will ideally take the focus off of patch-counting and provide a better assessment of security and vulnerability issues. [Snyder] says “We’re in the early phase, working on incorporating feedback from the rest of the industry.” She also reveals some more Firefox developments, including possibly incorporating NoScript into the core browser and implementing protected mode, but they’re still a long way from becoming standard features.
23 thoughts on “Black Hat 2008: What’s Next For Firefox Security”
Whoa, noscript in the core? That would be seriously awesome and bypass some of the dance the extension has to do to get it to work (though ff3 improved things). I wonder if they’re going to make adblock+ features more integrated — blocking things from known-bad and user-defined hosts would be much easier that way. in fact, that could replace the first few extensions that I install before I actually use the browser…
She’s kind of cute. :)
uh… black hat?
more like black face… am i rite?
@joesph-walton: congratulations, you’re a racist.
This chic can overflow my buffers any time..
This chic is hot like fajita meat..
..Goes to start bug hunting in Mozilla code…
@tjhooker: congratulations you are a sexist, and both of you are douchebags.
identifying race is racist. thank you. this is useful information.
Uh… seriously: What role does the race play here? If you said “None”, you got it right.
Now, adding security is a good thing. But IMHO the mozilla project should also pay attention to quite some other things, e.g. stability, speed, memory consumption, protection against badly written extensions and plugins, proper multithreading, …
@Anonymous/#5: Identifying a back person as “black face” isn’t racist, under any context? Wow, I need to go retake linguistics if that isn’t racist.
[tjhooker]: she has a pretty and black face, and those are valid observations. your objection is inappropriate.
what you seem to be objecting to is the _mention_ of and idea of conciousness about skin color, spurred by a common-sense connection between article title and picture. you call that racist, despite the lack of any judgment on any property of the person so far beside the compliment.
this isn’t vaudville “black face” impersonation. this isn’t that context. in another context, calling you a canine would be a prelude to violence and showing the sole of my foot a digusting display of disrespect.
any physical response can be justified if intent is deemed equivalent to imaginary offense. however, they are not the same. so until you actually _ask_ whether [joesph-walton] had ulterior meanings, try not assigning some of your own for irrelevant purposes.
an attractive young female the knows code? the odds are good that the goods are odd.
The person directly associated it with the fact “black” was in the name of the event she attended, and then followed it with “more like black face… am i rite?”.
This isn’t rocket science, or even advanced linguistics.
I’d like to throw down some triple syllable words to really set it in stone, but it’s just racism under every context of ever written and spoken language. Excusing it is kind of instigating trolling and repetitive explanations of core language skills.
Matasano Security is the firm that ‘accidentally’ leaked the DNS exploit details on their blog and then pulled it down and apologized, saying they meant to “only post it after someone ELSE leaked it”, right?
great…now firefox is gonna get a LeakThis! button right next to the Home button that autoposts stuff from your email account to your blog with no confirmation.
Who the hell cares.
She’s more of a mocha color.
Diversity fucking rules, I’m sure any of you would drink her up like a hot lil’ latte, so quit talking shit.
Putting aside testostorone, why the hell hasn’t this happened sooner lol?
I was bored. That’s the only reason I pointed it out. Seeing people excuse something so obvious was what made me make more responses.
She’s the co-founder of one of the consultant firms they’re bringing in.
“but it’s just racism under every context of ever written and spoken language”
You’re in fucking outer space. Are there no black people there? Must not be, or you’d have heard things in unbigoted context.
@13: How the hell is this bigotry?
Like I said this isn’t advanced linguistics. The way they phrased it doesn’t fit any other context. If it does then please enlighten me on what that is, using the whole context, and not just a fragment.
Like I said, the context is so blunt/obvious that by conjuring excuses you’re doing nothing but trolling; frivolously at that.
@14: I agree, I did use too much sexual innuendo.
Too bad political correctness isn’t used on ALL things politically incorrect here. I’m sure you calling me out on my first post is a bit hypocritical given stuff you’ve posted on the net before.
oh, now racism isn’t bigotry. i need to update my dictionary, it was published before 1984.
@17: Perhaps go back to grade school and take literature classes, or even introduction to english, too.
I was clearly addressing the “or you’d have heard things in unbigoted context” statement towards me.
What’s funny is you actually in turn agreed that racism is being used, but sadly do to your poor interpretation/reading skills you labeled me as a racist(hopefully it won’t be terrorist next(
Did anyone else notice that FireFox’s Security Chief is a Fox?
I don’t want noscript in mozilla’s hands, it’s better that it’s independent and constantly tweaked by enthusiast rather than in control of google-lovers who might have an interest to at some point allow some stuff we the user would not want to allow.
0nce too much is under some central control the road to disaster is nicely paved.
I’ve started looking all around for this specific information. Fortunately my partner and i noticed it on Msn.
Please be kind and respectful to help make the comments section excellent. (Comment Policy)