Slashdot Mirror
Firefox Vietnamese Language Pack Infected With Trojan
An anonymous reader writes "Wired.com is reporting that the Firefox browser has been unknowingly distributing a trojan with the Firefox Vietnamese language pack. Over 16,000 downloads of the pack occurred since being infected. This highlights a risk on relying on user-submitted Firefox extensions, or a lack of peer-review of the extensions, many of which receive frequent upgrades."
...vulnerable to these sorts of attacks (which anyone with any common sense would already know), the fact that it is such an open process means a greater possibility of earlier detection, faster analysis and response, and the rapid repair of the process which made such a gaffe possible. In the closed source world most of these steps would take exponentially longer, and quite often the process would remain the same.
Loading...
Open source allows greater quality control than closed source. If Mozilla did not use this potential, it's their fault and not the open source process'. In fact, the problem here is that the quality control used by Mozilla was not open source enough. They only did automatic scanning, something that can be done in compiled binaries, when a simple code-checking (notice that an extension source is not that big) would get the malicious code rather quickly.
right quality control in closed source. bullshite.
How many refurburished ipods have had viruses on them/ How many sb thumb drives with custom controls and drivers have had viruses on them? How may times has MSFT released a service pack only to pull it a day or two later because 50% of the installs would fail horribly?
OSS has a far better track record on quality control. Even better OSS software knows exactly how many times it has been downloaded and releases the exact date at which the infection happened. That is information that is NEVER released by closed source companies.
OSS is far from perfect, but it has a much better track record than closed source software. And when it does fail, everything about the failure is spelled out in details so that particular failure is less likely to happen. Unlike closed companies whose own management don't even know what really happened.
i thought once I was found, but it was only a dream.
So company or organization supported OSS projects with proper QA is the solution.
There is a spark in every single flame bait point.
Yeah. When the hackers steal his identity and ruin his credit, he'll just be cool about it and say "Well, I still love Firefox; I got hacked, but it's not like I had to pay money for this software!."
Open Source should be treated with care, just like any other software you download from the net. Stick to the lighted paths and generally you should be fine. In this case, we have user-generated code which can be iffy, but you can feel fairly safe if it has been downloaded and used a number of times. These things usually come out into the open sooner or later.
You know, there is a difference between trolling and pointing out the flaws in your reasoning. Just saying.
To be fair, this particular sequence of events could have happened to a proprietary product as well. The article explains that an add-on developer uploaded a new version of the language pack. The language pack was automatically scanned for viruses, and found to be clean (since the signature for this particular Trojan wasn't yet known). It appears that this occurred because the developer's computer was infected (i.e.: this was accidental, not intentional, on the part of the contributor).
This isn't too different from a hypothetical employee whose home computer is infected, and who is working from home and emails a module to his boss, who merges it into the final product. If his home computer was infected, and the standard virus scans missed it, then the final product could end up having Trojan code buried inside.
Would the company necessarily have caught the Trojan? Doubtful. They, too, would probably not have done a line-by-line review of each module update that is submitted.
So I'm not convinced this can be pointed to as a failing of the OSS development model per se. The only difference is that the OSS user contributor is perhaps less well-known (less trustworthy?) to the distributors than in a corporate setting. (But, again, this wasn't a problem of trust... this was a contributor machine being infected. And I assure you that corporate developers can and do get their machines infected.)
Nevertheless, this points to a breakdown in Mozilla's auditing practices. They should be very careful with any code they distribute. But these kinds of quality-control breakdowns occur in OSS projects and corporations, too. (One could tangentially argue that at least with OSS, breaches are likely to be publicized, whereas companies will frequently try to suppress information that points out a security breach.)
I guess the point is: "the fact that anyone could check the source code at any time should not replace proper QA, which shouldn't be all that different from the one done on commercial software".
I'm sure that Firefox has quite a bit of QA done to it... but it's usefulness relies too much on extensions, which we don't that many assurances about.
As a Slashdot discussion grows longer, the probability of an analogy involving cars approaches one.
This was modded funny? If OP had called them a derogatory term would it have been modded insightful? What a disgrace.
Space game using normal deck of cards: http://BattleCards.org
You ask how long it would take to find a virus slipped in to an OSS program? Interesting question. A little bit of Googling would show where major OSS projects were compromised and malicious code was discovered and cleaned within a rather short period of time. Of course - that's not quite a virus. One of the ELF infecting viruses made its rounds by being attached to a supposed exploit and being tossed out in to the community. That had a short run. Although I wouldn't quite classify this as a OSS example. The interesting thing here is that for an environment that you claim lacks quality control, there's something going on that's catching this stuff.
Open source means the QA can be shifted from a group of QA workers in an office to people who use the software. Both approaches work, and both are not perfect. Saying one is inherently better than the other is a bit strange, as they both achieve the same thing, only in different places. QA performed in-house has access to the source code, and can highlight errors and get them fixed, just the same as any OSS project. The only difference is the QA workers are getting paid for it, and are working directly with the developers. I'm not saying that's better, it's just what happens.
Except if a person had actually tested it, it would have become pretty obvious that something was wrong.
"1) The problem was detected nonetheless
2) It is being fixed rather quickly"
Yea, after 16,000+ downloads... doesn't seem quick enough to me.
There have been a number of incidents of trojans and viruses being distributed in commercial shrinkwrapped software. Firefox was slack, like commercial distributors have now and then been slack. You get caught by surprise, fix the process, and keep going, and keep it from happening again.
If they don't address the process that caused the problem, then start worrying.
The quoted statement above indicates there is some level quality control. Your statement above says in your experience the opposite of that is true. The opposite of "some" is "none", especially in light of the tone of your post.
Therefore, you have stated that there is no quality control in proprietary software.
There is no "-1 offended" or "-1 you don't agree with me" mod options for a reason.
Actually, that statement if false. The majority of OSS is half-finished, poorly-planned crap that is in perpetual beta. Of what remains, most does not come close, let alone rival, the software provided by proprietary vendors.
The truth is that, with a very few notable exceptions, OSS is generally crapware that gets abandoned once the project obtains an arbitrary level of usability and all the sexy code has been written. Just look at freshmeat or sourceforge to see the truth.
There is no "-1 offended" or "-1 you don't agree with me" mod options for a reason.
There has been a lot of discussion about closed source projects having dedicated QA departments and the relative merits of that.
The problem is most software companies don't do QA right.
It's fundamentally against the quarter by quarter business mindset that dominates most companies. QA doesn't produce anything. QA usually pushes back release dates. QA can be almost as resource intensive as engineering.
QA only pays off in the long term as a reputation for quality outside of the company, and then only if they are given the resources they need.
If: Your only willing to hire cheap staff to punch away at the GUI
If: QA doesn't have a say on whether bugs are fixed before release
If: QA doesn't have at least 80% of the product knowledge of the engineers
than a large QA team suffers immense diminishing returns and will likely cost more than they save over the long term.
Unfortunately most companies feel that throwing more cheap bodies at the issue will increase their quality (hint...it won't). At that point the OSS route of lots of eyes is way better.
It is a double edged sword. I speak as a developer and user of Debian.
On one side, the possibility of getting infected binaries are dropped in Debian. Things are signed, etc.
On the flip side, there is a much higher possibility of getting malicious code in the source code. Considering the number of possible code "contributions" and unverified source code changes (at upstream, at maintainer, etc.), the possibility of getting malicious code in one of the less known projects is higher than closed source. Then again, code insertions in very active projects may be less of a problem (see Linux for example).
The bottom line is, you can't check every possible line of code all the time. You can't find if( test > 0 ) vs. if( test >= 0 ) all the time. Open Source != better than closed source in this regard. It is just a different problem.
In closed source is - do you trust the provider? Do you trust the binaries?
In OSS - do you trust all the developers and contributors? Do you trust the code was reviewed properly?
That, and the language/OS elitism. A lot of abandoned projects in sourceforge are developed in an obscure scripting language and/or extension that requires very, VERY careful installation (i.e. wxPython - choose the wrong version and you'll end up in a support nightmare), or perhaps use a specific UI toolkit (perhaps even proprietary *cough cough* cinelerra *cough cough*) that keeps crashing and crashing. I remember when I tried to install GAIM in Windows. It sucked big time. You can't just design something as "cross-platform" if you don't do extensive testing on ALL operating systems, and that includes the Redmond Nightmare.
I believe that a lot of OSS developers program for selfish reasons - i.e. "I'm programming a tool that does what I want" instead of "I'm programming a tool that will help people who might not use my OS or won't share my personal tastes, therefore I need to think about them".
The lesson: It's not really the OS or the toolkit, or even the language used. It's the attitude of the developers that ruins projects.
"When I first heard Daydream Nation it quite frankly scared the living shit out of me." -- Matthew Stearns