security

  • Posted on by Wladimir Palant

    Disclaimer: I don’t blame people working on AMO for anything. They face extremely difficult problems and are working very hard. I am simply noting some areas where they still have a long way to go.

    I started a little experiment — downloaded all extensions from addons.mozilla.org (AMO), unpacked them and tried to find security holes by searching for specific strings. As expected, it wasn’t all too difficult, one can easily find a dozen vulnerable extensions in an hour, and that not even accounting for the fact that there is a certain unpopular class of extensions on AMO all sharing the same buggy code. The only reason I didn’t hit all too many high profile extensions was that I was going through the extensions in alphabetical order instead of going by popularity.

    Read more… Comment [7]

  • Posted on by Wladimir Palant

    Do you still remember? Sometime in the beginning of year 2004 Bill Gates promised us to take care of the spam problem by 2006. It was big in the news all over the world. Well, the year is almost over and I don’t see anything change for the better. A look at my inbox tells me that spam got much worse if anything. In fact, spammers have made considerable progress in these two years. They are now making heavy use of botnets thus rendering the spam protection methods based on IP address checks or identity verification almost irrelevant. They successfully use randomized mail content and images to trick Bayesian filters. And they got much better at social engineering. What did Microsoft do? They sued a few spammers — which didn’t quite make the expected impact because spam is still much too profitable.

    It’s not that I really expected them to find the silver bullet. I mean, it was obvious that Bill Gates was selling hot air there. But I miss the public outcry. Where are the newspapers who reported about this two years ago, do they want to let him simply get away with a lie?

    Read more… Comment [11]

  • Posted on by Wladimir Palant

    I am back from my vacation and working through all the mail I got in the two weeks. Amongst others I found a funny email bounce for the forum’s confirmation message: “We are not aware of anyone in Germany needing to email us”. That is already weird enough but ok — the forum sends mails using a DE domain as a sender, maybe they don’t like that. So I forwarded the mail using my @adblockplus.org address. The new bounce message was: “We are not aware of anyone in Norway needing to email us”. This time I finally got it — Americans only want to speak to other Americans :)

    Read more… Comment [5]