Archive for the 'Ask Jesse' Category

Ask Jesse answers

Thursday, May 29th, 2008

Asa has published my answers to the questions you asked me. They include my opinions on full disclosure, what makes security hard, and more.

Ask Jesse

Tuesday, May 13th, 2008

Asa is interviewing me this week. If you have anything you want to ask me, post it on Asa's blog :)

Ask Jesse answer: Mozilla internship

Wednesday, May 4th, 2005

michaell also asked:

Good news about the [Mozilla Foundation] internship - any idea what you’ll be doing when you’re there?

I will be a Technical Contributor, Browser and Gecko Security. I haven't yet discussed with Chris Hofmann, Dan Veditz, etc. what I will be doing to make Firefox more secure.

Ask Jesse answer: Mozilla security process

Wednesday, May 4th, 2005

michaell asked:

I know you’ve criticised the mozilla security process (that is, what happens in practice rather than the documented process) previously, but haven’t seen you say anything about it recently. Do you think things have improved? What concerns do you still have?

Dealing with vulnerabilities that are found

There are many problems with Mozilla's vulnerability-handling process:

  • For bugs that are disclosed by the reporter, patches usually appear quickly, but fixed releases take too long.
  • For bugs that are not disclosed by the reporter, patches and fixed releases take too long.
  • Reporters of security holes sometimes don't get any response for a week, which may make them inclined to disclose the hole sooner.
  • For bugs that are not disclosed by the reporter, fixes are checked into public CVS days, weeks, or months before the release. Anyone can look through Bonsai and identify which checkins correspond to security holes without looking at code. (Checkins with references to hidden bugs, branch checkins, and checkins with vague comments without bug numbers are likely to be security holes). They could then look at the source code changes and, in many cases, reconstruct an attack based on understanding the vulnerability in the old code. Mozilla's security group needs a secret CVS repository for security patches.
  • Bugzilla, Mozilla's bug-tracking system, has holes that can lead to the disclosure of information about security-sensitive bugs. One such bug is itself marked as security-sensitive and has been for years even though multiple people have filed duplicates.

I posted an older version of this list in a comment on Asa's blog. Security researcher "mikx" knew about the CVS problem and it was one of the reasons he chose to disclose holes in Firefox before a fixed version was released.

Eliminating grandfathered vulnerabilities

I'm sad how long my Security tips for users document has to be. I believe that most of the vulnerabilities in Windows and Firefox mentioned there can be fixed with little impact on usability in non-attack cases. They could certainly be fixed with less impact on usability in non-attack cases than making all users read that document ;)

Getting users to keep Firefox updated

Firefox's update notification is too subtle, and updating requires too much bandwidth and effort. Plans for software update in Firefox 1.1 are moving in the right direction to fix these problems. One issue that will be hard to address is users not updating due to abandoned extensions.

Avoiding "missing security check" holes

There have been several fixes that eliminate the need for a class of security check. These fixes make it easier to write secure C++ and JavaScript code and make it unnecessary to sprinkle easy-to-miss security checks throughout Firefox. I hope to see more fixes like these in the future.

Avoiding holes in Firefox's security UI

Someone (maybe me) should keep a list of all the security UI in Firefox and ensure the necessary precautions are applied. For example, users should see clear, accurate information to help them make security decisions such as entering passwords, opening downloaded files, and granting elevated permissions to specific web sites.

One aspect of security UI that requires a lot of attention is dialogs where users make security decisions. In addition to everything above, security dialogs should have safe default actions, clear button labels, and protection against race-against-the-user attacks.

Firefox is doing better on the security-UI front than IE and Opera. IE's and Opera's "what do you want to do with this file" dialogs are still vulnerable to race-against-the-user attacks almost a year after I informed Microsoft and Opera Software. That means that if you're using IE or Opera, a web site can own you pretty easily.

Working with other browser vendors

The Mozilla security group has coordinated security fixes and PR with Opera Software when Firefox and Opera have shared vulnerabilities. This is a good thing.

Ask Jesse answer: WordPress

Monday, May 2nd, 2005

Joey also asked:

As a fellow WordPress user (only other system I’ve ever used is Blogger), what plugins do you have installed, and do you use the bookmarklet? I love the spell checker and just got a crossposting plugin to work, crossposting to Xanga since all my friends don’t know too much, if anything, about the Internet.

I don't use the WordPress bookmarklet because I post URLs on my account instead of on my blog most of the time. I do use a bookmarklet, of course. I used the favicon picker extension to give the bookmarklet the icon and then gave it an empty name, so it takes up little space on my toolbar.

The only WordPress plugin I use is Text Control, which I use to disable WordPress's buggy auto-formatting and auto-texturizing. See my post about switching from Movable Type to WordPress for details. I haven't tried any spell checking plugins; which one do you recommend?

Ask Jesse answer: Driving

Monday, May 2nd, 2005

Joey asked:

I noticed in your ‘43 things’ you said you want to learn to drive. Do you have your permit? I’m actually going for my license on the 20th of this month. So, how much driving experience do you have?

I had a permit a few summers ago, but it has expired. I practiced driving with a driving instructor and a little with my mom.

Several things turn me off from driving:

  • I don't have a good sense of the size of the car I'm driving, so I never knew whether I have to move to avoid a parked or oncoming car. Several people have told me that this sense comes from practice, but I don't see how practice would help unless you hit something at least once.
  • I often don't get enough sleep to be able to drive safely.
  • Owning a car is expensive. Even if I had enough money, it seems like there would be better ways to spend it.
  • If I had a car, I wouldn't walk to school/work, and then I would get even less exercise than I do now.

Ask Jesse answer: Mudd

Monday, May 2nd, 2005

Ben Karel asked:

Thoughts/reflections on your time at Harvey Mudd, perhaps?

The best thing about Harvey Mudd for me was that it is small (about 700 students) yet connected to the other Claremont Colleges. I have a hard time recognizing people until I've seen them many times, so I would not have a chance to make as many friends at a large college. I made some great friends at Mudd. At the same time, I was able to take a wide range of classes at Pomona, Claremont McKenna, and Scripps. Having a women's college (Scripps) across the street helped balance the 2.5:1 gender ratio at Mudd.

I didn't realize it while I was at Mudd, but the computer science profs and classes were great. The profs at UCSD don't seem as interested in the material.

One of the reasons I decided to attend grad school was that I had such a great time in college, and assumed grad school would be similar.

Ask Jesse

Sunday, May 1st, 2005

Ask me questions as comments on this entry, and I'll try to respond.

I stole this idea from Asa.