Slashdot Mirror
Pwn2Own 2016 Won't Attack Firefox (Because It's Too Easy) (eweek.com)
darthcamaro writes: For the last decade, the Pwn2own hacking competition has pitted the world's best hackers against web browsers to try and find zero-day vulnerabilities in a live event. The contest, which is sponsored by HPE and TrendMicro this year, is offering over half a million dollars in prize money, but for the first time, not a penny of that will directed to Mozilla Firefox. While Microsoft Edge, Google Chrome and Apple Safari are targets, Firefox isn't because it's apparently too easy and not keeping up with modern security: "'We wanted to focus on the browsers that have made serious security improvements in the last year,' Brian Gorenc, manager of Vulnerability Research at HPE said."
correct that to "open source sell out", for that is what firefox is
I don't think the article ever says anywhere that they're not doing it because it's too easy. They're not doing it because all the other browsers introduced sexy new features and they want to focus their efforts on securing these first - since Firefox hasn't changed much under the hood, it's not very different from the last time they used it. It's one thing to add a little comment here and there, but try not to put words in other people's writing. After all, if they were worried it'd be too easy, they would have attempted exploits on a secured Linux distro or on a *BSD - which I don't see mentioned anywhere here at all.
"Set a man a fire, he'll be warm for the rest of the night. Set a man afire, he'll be warm for the rest of his life."
to add to my above, those who are in charge of firefox no longer interested making its core product better and secure. it is interested market and marketing, bowing to establishment ideology and legalese, etc etc
move those goalposts...
The FF developers don't have the time for that, they're far too busy destroying the user experience just a little bit more with each release.
It takes a lot of time and effort and great skill to ruin what used to be the best browser you know, it doesn't happen by itself!
(I just wish I were joking. Unfortunately they have the Microsoft disease of "The UI must change with each release to show that we're doing something". It's mind-boggling in its insanity, and it annoys their supporters continually. If they hadn't touched the UI in the last 5 years and devoted all their energy to security and performance instead, FF would still be the leading browser today.)
+5 funny. Firefox drops every year at Pwn2Own. So that "superior security" doesn't seem to actually amount to much in real life.
All the browsers fail every single year.
I personally don't consider Firefox to be an open source project in any meaningful way. I see it more as a proprietary project whose source code is publically available, and that's all it is.
A true open source project is driven by the community, not by the maintainer alone. Firefox is driven solely by Mozilla. Regular users have no real say. The best we can do is submit a bug report, and it'll likely be ignored, sometimes for years. It's really not worth the effort to even bother sending in a patch.
Mozilla sure as hell didn't listen to the Firefox community at large when this community rejected Australis, Pocket, Hello, tile ads, and the many other smaller unwanted UI changes that have been forced on us.
Mozilla sure as hell didn't listen to the Firefox community at large when this community requested that the performance be improved, and the memory usage reduced.
Now we're being told that the extension system is going to undergo massive restructuring, and our extensions will very likely break, without us getting any real benefit from these changes.
Heck, we only have to look to Mozilla's own Firefox feedback stats to see how disappointed Firefox's users are. Something is seriously wrong when 80% or more of users are unhappy with a product!
The only time we've seen the community have any sort of real involvement in the development of Firefox is when it has been forked, and Mozilla is left out of the picture completely. See the Pale Moon project for an example of this. It's perhaps the closest thing there is to an open source project built around Firefox's technology.
As far as I'm concerned, Firefox is a proprietary project and we just have access to the source code. It's not a community-driven open source project.
Something being open source has never, ever meant that it is more secure. That is a myth propagated by open source zealots. Open source only means that, the source can be viewed, and most likely changed, by anyone. Open source zealots assume that means it is rigorously vetted by security experts to find any flaws and fix them, which is a huge assumption that mostly likely is not true for most projects.
Yea, Chrome gets a bad rap for how much resources it uses but, it actually has a good reason and, as you pointed out, if it starts hitting your system's ceiling, it starts scaling back.
That's not acceptable. A web browser isn't the only, or even main thing I use my computer for. I don't want my VM to be unable to start because Chrome has used all the memory it could find, less a small bit.
It's not cooperative. It assumes that all memory available has been made available for it only.
Chrome is like a self-serve cafeteria where some people are gluttons who hog all the food, and latecomers only get crumbs. It might be legal, but it sure isn't playing nice. We shouldn't have to have guards standing at the food stations to prevent greedy bastards from ruining the experience for others. Taking all the biscuits and putting one or two back isn't generosity.
Firefox isn't much better. One of my users forgot to close a browser window on a server before going on vacation, and just periodic auto-refresh had caused it to gobble up a quite a few gigabytes of RAM - a large portion of the server's RAM. The server has extra RAM because of disk caching, to the benefit of all users. I ended up having to implement cgroup memory limiting because of Firefox.
Do you have any actual experience with these kinds of metrics? Having worked in quality control, customer service and analyzing customer feedback in several different industries over a number of decades, I can tell you that you're absolutely wrong. Self-selection proves to be irrelevant in most cases, and contrary to popular misconception it usually results in more positive ratings for a product. If there's one thing that people like to do more than complaining about bad product it's raving about good ones! The people who "bother to send feedback", as you put it, are actually biased toward liking the product. Those who have a bad experience often don't provide feedback, because they see it as a waste of time, especially if there's a high likelihood that they won't receive any financial compensation by complaining. This causes problems for us studying such feedback, because we typically want to focus on the bad experiences. Furthermore it's extraordinarily rare to see an 80%/20% gap like we're seeing in Firefox's case, regardless of whether the feedback was voluntarily provided or whether it was prompted for, and regardless of whether it's in the positive or negative direction. Typically we see around 60%/40% for most products. We'll get 70%/30% for products that have a reputation for being unusually good or unusually bad. But 80%/20% is basically unheard of. Something is serious wrong, in a good or bad way, when we're consistently seeing numbers like those. In a case like that of Firefox, where 80% of the respondents are unhappy, we'd typically look beyond the survey. We'd look at comments in other discussion forums, which in the case of Firefox are often overwhelmingly negative. We'd look at market share stats, which in Firefox case shows a significant drop over time. We'd look to see if a major competitor, like Chrome, has seen an upswing in its market share, as users dissatisfied with Firefox would typically be moving to it instead. When we consider all of these factors together, the conclusion we can draw in the case of Firefox is that users are highly dissatisfied with it, to a degree that's almost never seen. In other industries, and even for most software providers, such observations would result in panic and immediate action. Something is miraculously wrong when 80% of a product's users, even if they're self-selected, report being unhappy with the product.
All the browsers fail every single year.
Yes but out of Firefox, Edge, Chrome, and Safari, Firefox fails more often every single year. Actually it's typically up with IE, and we all know that IE is a model browser for internet security. /sarcasm
Safari is the browser the fails the fastest and most regularly. Google Chrome is second.
It is assumed because it is pwn2own, and people attack Safari first to win a MacBook.
A true open source project is driven by the community, not by the maintainer alone
Wait, you just make up definitions on the fly, post as AC, and get modded up for it? A true open source project is a project whose code is freely available. That's all.
As for community contribution, firefox looks reasonably healthy to me: https://github.com/mozilla/kit...
Compare that to Pale Moon, which you praise: https://github.com/MoonchildPr... ...
Pale Moon has fewer contributors and a much higher volume of commits coming from a single dev. Not that this is bad -- they're both true open source projects, and different projects have different numbers of contributors.
Maybe instead of whinging, you could learn to code and contribute too?