Slashdot Mirror
Pwn2Own 2016 Won't Attack Firefox (Because It's Too Easy) (eweek.com)
darthcamaro writes: For the last decade, the Pwn2own hacking competition has pitted the world's best hackers against web browsers to try and find zero-day vulnerabilities in a live event. The contest, which is sponsored by HPE and TrendMicro this year, is offering over half a million dollars in prize money, but for the first time, not a penny of that will directed to Mozilla Firefox. While Microsoft Edge, Google Chrome and Apple Safari are targets, Firefox isn't because it's apparently too easy and not keeping up with modern security: "'We wanted to focus on the browsers that have made serious security improvements in the last year,' Brian Gorenc, manager of Vulnerability Research at HPE said."
I immediately thought about TOR Browser. The horror.
correct that to "open source sell out", for that is what firefox is
As an avid Firefox user, I have to agree. Firefox is good because it's customizable, but it certainly lacks some inherent security features found in other major browsers. Many of the security risks can probably be averted by configuring the browser for added privacy and disabling certain features, but this is no excuse for lagging behind.
Maybe Mozilla will someday focus on its core competencies again and stop fooling around with nonsense like Firefox OS...
-SR
The article didn't directly say that Firefox was insecure, although this is surely implied. It could mean that Firefox is already secure and it the developers just haven't had to implement anything major to keep up.
Read that again.
Notice serious "security improvements".
So. am I to take it that Firefox was sitting on their asses and just adding bells and whistles?
Or their security was so good before and now that there wasn't much improvement necessary?
I don't think the article ever says anywhere that they're not doing it because it's too easy. They're not doing it because all the other browsers introduced sexy new features and they want to focus their efforts on securing these first - since Firefox hasn't changed much under the hood, it's not very different from the last time they used it. It's one thing to add a little comment here and there, but try not to put words in other people's writing. After all, if they were worried it'd be too easy, they would have attempted exploits on a secured Linux distro or on a *BSD - which I don't see mentioned anywhere here at all.
"Set a man a fire, he'll be warm for the rest of the night. Set a man afire, he'll be warm for the rest of his life."
to add to my above, those who are in charge of firefox no longer interested making its core product better and secure. it is interested market and marketing, bowing to establishment ideology and legalese, etc etc
move those goalposts...
Why would the distribution license affect quality and security of the software?
If something is so important that you feel the need to post it on the internet... It probably isn't that important.
"Yeah, Pwn2own, well.... your MOM is too easy!"
The FF developers don't have the time for that, they're far too busy destroying the user experience just a little bit more with each release.
It takes a lot of time and effort and great skill to ruin what used to be the best browser you know, it doesn't happen by itself!
(I just wish I were joking. Unfortunately they have the Microsoft disease of "The UI must change with each release to show that we're doing something". It's mind-boggling in its insanity, and it annoys their supporters continually. If they hadn't touched the UI in the last 5 years and devoted all their energy to security and performance instead, FF would still be the leading browser today.)
They didn't say Firefox isn't secure, they said it hasn't made many recent security improvements; that's not the same thing. Firefox already had superior security, so it has not had to make many improvements in the last year compared to less secure browsers.
We wanted to focus on the browsers that have made serious security improvements in the last year
Rather than giving Mozilla some bad press they could have stated in the rules that exploit A, B and C have already been done last year and don't count for the 2016 edition of the contest. Even if they haven't changed whatever these guys think is "serious" since last year that doesn't mean the whole thing is bad.
Because opensource RMS magic pixie security dust! Because many eyeballs! Because cathedral and bazaar!
Please don't tell me you never read the bull that opensource zealots spew on how opensource is inherently more secure than closed source. If not, just go to fsf.org and enjoy.
+5 funny. Firefox drops every year at Pwn2Own. So that "superior security" doesn't seem to actually amount to much in real life.
Nope, Rust is being used by Mozilla to develop the experimental layout engine Servo, but there are (as far as I am aware) no plans to completely rewrite Firefox in Rust. There are plans to gradually replace some components in Firefox written in C/C++ with Rust, e.g. a url parser and a mp4 parser, but I don't think these are part of the current Firefox release.
I thought Pwn2Own was supposed to be all about shaming vendors into cleaning up their act. If Firefox's security is really so poor, then shouldn't these guys be directing more resources toward it, rather than less?
Is this not a large part of how Microsoft was pressured into finally making certain decisions which, while clearly necessary, were very inconvenient from its own perspective? Why are we to believe that it would not work again?
+5 funny. Firefox drops every year at Pwn2Own. So that "superior security" doesn't seem to actually amount to much in real life.
All the browsers fail every single year.
It is official; Netcraft now confirms: FireFox is dying One more crippling bombshell hit the already beleaguered FireFox community when IDC confirmed that FireFox market share has dropped yet again, now down to less than a fraction of 1 percent of all browsers. Coming close on the heels of a recent Netcraft survey which plainly states that FireFox has lost more market share, this news serves to reinforce what we've known all along. Firefox is collapsing in complete disarray, as fittingly exemplified by failing first in the recent Pwn2Own security challenge. You don't need to be a Kreskin to predict FireFox's future. The hand writing is on the wall: FireFox faces a bleak future. In fact there won't be any future at all for FireFox because FireFox is dying. Things are looking very bad for FireFox. As many of us are already aware, FireFox continues to lose market share. Red ink flows like a river of blood. Mozilla FireFox is the most endangered of them all, having lost 93% of its core developers. The sudden and unpleasant departure of long time Mozilla CTO Brendan Eich only serve to underscore the point more clearly. There can no longer be any doubt: FireFox is dying. Due to the troubles of Walnut Creek, abysmal sales and so on, FireFox OS went out of business and was taken over by PalmOS who sell another troubled OS. Now ThunderBird is also dead, its corpse turned over to yet another charnel house. All major surveys show that FireFox has steadily declined in market share. FireFox is very sick and its long term survival prospects are very dim. If FireFox is to survive at all it will be among retro browser dilettante dabblers. FireFox continues to decay. Nothing short of a cockeyed miracle could save FireFix from its fate at this point in time. For all practical purposes, FireFox is dead. Fact: FireFox is dying
Copyright (c) 1990 - 2014 Dice. All rights reserved. Use of this comment is subject to certain Terms and Conditions.
They don't say it would be too easy, they just say Firefox hasn't made significant security changes (e.g. in architecture). Probably doesn't hurt that they can hit Google, Apple and Microsoft for more money than they could get from Mozilla.
I personally don't consider Firefox to be an open source project in any meaningful way. I see it more as a proprietary project whose source code is publically available, and that's all it is.
A true open source project is driven by the community, not by the maintainer alone. Firefox is driven solely by Mozilla. Regular users have no real say. The best we can do is submit a bug report, and it'll likely be ignored, sometimes for years. It's really not worth the effort to even bother sending in a patch.
Mozilla sure as hell didn't listen to the Firefox community at large when this community rejected Australis, Pocket, Hello, tile ads, and the many other smaller unwanted UI changes that have been forced on us.
Mozilla sure as hell didn't listen to the Firefox community at large when this community requested that the performance be improved, and the memory usage reduced.
Now we're being told that the extension system is going to undergo massive restructuring, and our extensions will very likely break, without us getting any real benefit from these changes.
Heck, we only have to look to Mozilla's own Firefox feedback stats to see how disappointed Firefox's users are. Something is seriously wrong when 80% or more of users are unhappy with a product!
The only time we've seen the community have any sort of real involvement in the development of Firefox is when it has been forked, and Mozilla is left out of the picture completely. See the Pale Moon project for an example of this. It's perhaps the closest thing there is to an open source project built around Firefox's technology.
As far as I'm concerned, Firefox is a proprietary project and we just have access to the source code. It's not a community-driven open source project.
I want to thank the Slashdot editors for putting stories with realistic analyses of Mozilla and Firefox on the front page of Slashdot, and allowing some real discussion of these issues to take place.
This just isn't possible at other discussion forums. Take Hacker News, for example. Many people directly involved with Mozilla and Rust spend their time there. That, combined with Hacker News' broken and easily-abused mod system, means that any frank discussion about Mozilla, Firefox or Rust tends to get suppressed. If you dare to question anything Mozilla has done, or if you dare to point out something that may be construed as negative, you will find yourself mercilessly downvoted. My suspicion is that the downvoting is being done by the very people working on these projects, since there are so many of them on that site and their comments show they don't tolerate anything even just resembling dissent.
Reddit isn't much better. There are a lot of rabid Mozilla and Firefox fanatics there who will actively suppress any comment that doesn't fully support and worship Mozilla or Firefox.
It's a real shame that we can't openly discuss the various problems affecting Mozilla and Firefox at places like Hacker News and Reddit. Maybe if they pulled their fingers out of their ears, so to speak, and stopped downmodding truthful comments the people behind Firefox would begin to see why their product's market share has slid down to only about 7%, with nearly no (0.04%!) mobile presence. When people say negative things about Firefox, it's because the problems are real, they exist, and they need to be dealt with properly! Silencing such observations doesn't help; it just makes matters worse. It drives more people away from Firefox and Gecko, and typically over to Chrome, which just makes the Blink monoculture stronger and stronger. A Chrome/Blink monoculture is the last thing the web needs!
I'm a certified hater of Firefox, but I'd like to hear what Mozilla has to say about this. Firefox's security is reviewed by not only their security team, but also Debian, the Tor Project, Red Hat, and many others. I have a hard time believing the situation is really so bad.
Something being open source has never, ever meant that it is more secure. That is a myth propagated by open source zealots. Open source only means that, the source can be viewed, and most likely changed, by anyone. Open source zealots assume that means it is rigorously vetted by security experts to find any flaws and fix them, which is a huge assumption that mostly likely is not true for most projects.
to add to my above, those who are in charge of firefox no longer interested making its core product better and secure. it is interested market and marketing, bowing to establishment ideology and legalese, etc etc
And making sure that it's not run by some guy who holds the same beliefs on gay marriage as Hillary and Obama did a couple of years ago.
Do you have ESP?
Because they're in the process of becoming yet another Chrome also-ran and basically they're too busy tonguing the Google sphincter to bother stopping the freefall of their flagship product and business.
Chas - The one, the only.
THANK GOD!!!
Do you have any actual experience with these kinds of metrics? Having worked in quality control, customer service and analyzing customer feedback in several different industries over a number of decades, I can tell you that you're absolutely wrong. Self-selection proves to be irrelevant in most cases, and contrary to popular misconception it usually results in more positive ratings for a product. If there's one thing that people like to do more than complaining about bad product it's raving about good ones! The people who "bother to send feedback", as you put it, are actually biased toward liking the product. Those who have a bad experience often don't provide feedback, because they see it as a waste of time, especially if there's a high likelihood that they won't receive any financial compensation by complaining. This causes problems for us studying such feedback, because we typically want to focus on the bad experiences. Furthermore it's extraordinarily rare to see an 80%/20% gap like we're seeing in Firefox's case, regardless of whether the feedback was voluntarily provided or whether it was prompted for, and regardless of whether it's in the positive or negative direction. Typically we see around 60%/40% for most products. We'll get 70%/30% for products that have a reputation for being unusually good or unusually bad. But 80%/20% is basically unheard of. Something is serious wrong, in a good or bad way, when we're consistently seeing numbers like those. In a case like that of Firefox, where 80% of the respondents are unhappy, we'd typically look beyond the survey. We'd look at comments in other discussion forums, which in the case of Firefox are often overwhelmingly negative. We'd look at market share stats, which in Firefox case shows a significant drop over time. We'd look to see if a major competitor, like Chrome, has seen an upswing in its market share, as users dissatisfied with Firefox would typically be moving to it instead. When we consider all of these factors together, the conclusion we can draw in the case of Firefox is that users are highly dissatisfied with it, to a degree that's almost never seen. In other industries, and even for most software providers, such observations would result in panic and immediate action. Something is miraculously wrong when 80% of a product's users, even if they're self-selected, report being unhappy with the product.
Something being open source has never, ever meant that it is more secure. That is a myth propagated by open source zealots. Open source only means that, the source can be viewed, and most likely changed, by anyone. Open source zealots assume that means it is rigorously vetted by security experts to find any flaws and fix them, which is a huge assumption that mostly likely is not true for most projects.
While I agree it is a myth, I don't think it's the zealots that really pushed it, but those that didn't really understand their message that open source has the *potential* to be more secure *because* of the many eyeballs effect. That doesn't mean it *will* be, just that it has the *potential* to be.
Open Source Zealots typically won't talk about security, they'll talk about bug fixes and may be equate that to security since more bugs fixed typically will mean less potential for exploits, which is true unless there are fundamental flaws in the programming related to security.
At worse, an open source project has the same security profile as a closed source project - only the people that started the project do anything on it.
At best, a large community builds around it and thereby the many eyeballs effect can take place and the bugs found/fixed (and thereby security improved) by magnitudes higher than a closed-source project of the same initial size.
Truth is like the sun. You can shut it out for a time, but it ain't goin' away. - Elvis Presley (source: imdb.com)
Praytell, when is the last time Apple admitted a security flaw? January 2016 http://lists.apple.com/archive...
Windows is plagued by bad design decisions. Such as? Taking granted that Windows foundation was based on running on a 16bit PC.
Open source flaws usually tend to be dealt with fairly rapidly once discovered. However what is the fallout for a quick patch update?
I think you're going a little overboard calling people zealots there Chuck. Zealots are not just fans of open source, but ignore the problems that do exist and point to the problems in others select cases to make your point.
There are a set of Large Open source project, but a lot of small ones where there is a few people who care about the source.
If something is so important that you feel the need to post it on the internet... It probably isn't that important.
Here you go: https://ftp.mozilla.org/pub/firefox/releases/3.0/
Good reason. Good reason. I gave you two. Your turn.
I see a lot of comments about Firefox's security but no references so far. So, let's look at cvedetails code execution counts:
2016:
Edge: 6
Chrome: 0
Safari: 0
Firefox: 3
2015:
Edge: 19 (Nov 12 - Dec 31, a projected rate of 142 per year)
Chrome: 8
Safari: 101
Firefox: 83
2014:
Chrome: 4
Safari: 65
Firefox: 55
So while Firefox is getting a lot of hate here today, I think the unbiased view is that Firefox is clearly more secure than any browser other than Chrome, which has by far the best record. I struggle to imagine an objective reason to exclude Firefox from any evaluation while including Safari. Edge hasn't been out very long, but based on the very small amount of data we have so far, it looks significantly worse than Firefox.
https://www.cvedetails.com/pro...
http://www.cvedetails.com/prod...
http://www.cvedetails.com/prod...
https://www.cvedetails.com/pro...
>>Open source only means that, the source can be viewed, and most likely changed, by anyone.
Pretty sure that's shared source. I thought open source means being about to compile / distribute it?
Praytell, when is the last time Apple admitted a security flaw? Windows is plagued by bad design decisions. Open source flaws usually tend to be dealt with fairly rapidly once discovered. I think you're going a little overboard calling people zealots there Chuck.
Can't say about Windows; but Apple does it regularly, and publicly, after an internal investigation and fix (which is the prudent thing to do, to protect users).
I thought Google was out and Yahoo was the new benefactor/overlord. The Mozilla Foundation's most recent public financials are for 2014 so it's hard to tell for sure.
Thanks to the War on Drugs, it's easier to buy meth than it is to buy cold medicine!
All the browsers fail every single year.
Yes but out of Firefox, Edge, Chrome, and Safari, Firefox fails more often every single year. Actually it's typically up with IE, and we all know that IE is a model browser for internet security. /sarcasm
Well I can't speak for everybody but I'd rather have an ugly but functional system than a pretty infested one.
Sorry, but I'll still take Firefox over Chrome, IE, or Opera any day. Here is the dialogue I always have on some message board whenever I try to go over to Chrome:
Me: Where is the menu bar?
Them: You don't need a menu bar, the menu button will do everything instead.
Me: Will it let me open a file?
Them: Uhm....well...no.
Can I at least add a stop button and zoom controls to the toolbar?
Them: Sorry, Chrome doesn't allow any customization. You're supposed to do it the way Google tells you to.
Me: Okay. Where are the options to automatically clear my history at close, erase all cookies at close, not remember search form histories, etc.?
Them: Why would you need that?
Me: For privacy.
Them: What's "privacy"?
Me: It's something Google has never, and will never, respect.
SJW's don't eliminate discrimination. They just expropriate it for themselves.
They didn't say Firefox isn't secure
Nope, they just said they haven't made any meaningful improvements. I guess you assume Firefox has perfect security. "Firefox already had superior security" ahh yes, you do. And superior by what metric? FF has had about 3x more critical critical vulnerabilities than Chrome and about 10% more overall. Not a huge difference, but it definitely puts them at "worse" not "superior".
So then the claims that Firefox isn't being included anymore because its "superior security" is just a huge joke. Which was, you know, the whole point me laughing at the person.
All the browsers fail every single year.
Yes but out of Firefox, Edge, Chrome, and Safari, Firefox fails more often every single year. Actually it's typically up with IE, and we all know that IE is a model browser for internet security. /sarcasm
Safari is the browser the fails the fastest and most regularly. Google Chrome is second.
It is assumed because it is pwn2own, and people attack Safari first to win a MacBook.
Ctrl+O
https://www.eff.org/https-everywhere
You say that as if not all browsers will leave Pwn2Own 2016 broken by at least one team.
think they know something other people don't.
I switched back to Firefox because vertical tabs, dynamic loading/unloading of tabs from memory, and NoScript. I don't just think that Firefox has these nice features...it really does have them (yes, add-on features count as browser features).
It would be cool to see how Firefox with NoScript does in pwn2own.
.: Semper Absurda
and most likely changed, by anyone
Great story, but then where are my commit privileges for Firefox or the Linux kernel?
.: Semper Absurda
You're forgetting the 3rd option:
Horribly insecure code that's too complex (or obfuscated or just plain badly written and possibly poorly commented) for most people to bother looking at, much less fixing & for those that DO bother, they submit a fix/patch which goes ignored or rejected by the maintainer. This, of course, followed by no one bothering to fork the project b/c no one has time for that. This is where most open-source users whine and complain about features, design flaws, and bugs while devs and fanboys tell them "If you don't like it, fork it and do it YOUR way." as if that were a trivial thing just anyone can do in their spare time... b/c we all have such amazing coding skills and free time to take on such an enormous effort by ourselves.
who wants to run NoScript to use?
Given that Chrome won't run it.
Aluminum:~ redacted$ ps -ef | grep Firefox /Applications/Firefox.app/Contents/MacOS/firefox -psn_0_36873 /Applications/Firefox.app/Contents/MacOS/plugin-container.app/Contents/MacOS/plugin-container /Library/Internet Plug-Ins/Flash Player.plugin -greomni /Applications/Firefox.app/Contents/Resources/omni.ja -appomni /Applications/Firefox.app/Contents/Resources/browser/omni.ja -appdir /Applications/Firefox.app/Contents/Resources/browser 290 gecko-crash-server-pipe.290 org.mozilla.machname.1962407656 plugin
502 290 1 0 Wed09AM ?? 85:15.56
502 2036 290 0 7:54PM ?? 0:11.86
502 2747 1905 0 4:16PM ttys000 0:00.00 grep Firefox
Does not look to me like plugins are running in the main process.
Most of the contributions to many open-source projects, including linux, are made by a small group of people. People have complained for a long time that linux ignores the user community to cater more to servers. You won't find many "community-driven" open source projects out there, since the core group has its own priorities, and since they're the ones doing 95% of the work ...
"Transparent" is a shit show that trades on every stereotype going. A man in drag is NOT a transsexual.
Menu button - "New Incognito Window"
There is no substitute for common sense. Especially, no body of rules will do.
You're forgetting the 3rd option:
Horribly insecure code that's too complex (or obfuscated or just plain badly written and possibly poorly commented) for most people to bother looking at, much less fixing & for those that DO bother, they submit a fix/patch which goes ignored or rejected by the maintainer. This, of course, followed by no one bothering to fork the project b/c no one has time for that. This is where most open-source users whine and complain about features, design flaws, and bugs while devs and fanboys tell them "If you don't like it, fork it and do it YOUR way." as if that were a trivial thing just anyone can do in their spare time... b/c we all have such amazing coding skills and free time to take on such an enormous effort by ourselves.
That's the same regardless of whether it's open source or not. So, no - I'm not forgetting. Been there, done that.
Truth is like the sun. You can shut it out for a time, but it ain't goin' away. - Elvis Presley (source: imdb.com)
Yahoo? Hahahahahahaha.
"Transparent" is a shit show that trades on every stereotype going. A man in drag is NOT a transsexual.
Mozilla has far better things to do with their time than worry about security. They're making the world safer by getting rid of "discriminatory" language in code. :^)
If it was OK to begin with - no point to listen to them. They are happy already. So you need to concentrate on unhappy lot. If I can suggest improvement without making other unhappy - it should just be implemented, if appropriate.(technically sound, secure, performant, etc)
Seeing as we're posting anecdotes and personal preferences... I seldom complain and very infrequently leave a review that is negative in any way. I've left many, many reviews and almost all of them (it'd surprise me if someone crunched the numbers and it was less than 90% positive) were supporting and positive. I'd much rather review something I like than something I dislike. I'm not interested in tearing stuff down but interested in keeping good things going.
Hell, it works with donations too but sometimes in reverse. I've often donated to software authors who write things I not only don't use but probably never will. I figure it helps others and helps to build things up. I'd rather improve than tear down. I want something good - even if it is for others. Sometimes, I use a competing piece of software and I figure if the other improves than my preferred choice will also improve.
I really can't think of the last time that I left a negative review - for anything.
"So long and thanks for all the fish."
Beating dead horse faces.
Contribute to civilization: ari.aynrand.org/donate
Sure, they didn't put any effort into Firefox security last year, but at least Mozilla was taking care of the important things. I mean, they sent Brendan Eich packing for a small political contribution, didn't they?
It's a plan to avoid complaints about the UI by not having one.
Confucius say, "Find worm in apple - bad. Find half a worm - worse."
A true open source project is driven by the community, not by the maintainer alone
Wait, you just make up definitions on the fly, post as AC, and get modded up for it? A true open source project is a project whose code is freely available. That's all.
As for community contribution, firefox looks reasonably healthy to me: https://github.com/mozilla/kit...
Compare that to Pale Moon, which you praise: https://github.com/MoonchildPr... ...
Pale Moon has fewer contributors and a much higher volume of commits coming from a single dev. Not that this is bad -- they're both true open source projects, and different projects have different numbers of contributors.
Maybe instead of whinging, you could learn to code and contribute too?
This is where most open-source users whine and complain about features, design flaws, and bugs while devs and fanboys tell them "If you don't like it, fork it and do it YOUR way." as if that were a trivial thing just anyone can do in their spare time...
Sure, but at least with OSS you have the option to fork the project.
If that's not something you appreciate, why would you use OSS? It's not like anyone forced you to.
No, I'm just saying we shouldn't sacrifice security for a pretty UI as the above AC suggested.
Because at least in theory, people can examine the code, find and fix issues with the software, and make improvements. Mozilla does appear to accept submissions, though I have no idea how difficult it is to get something accepted. My guess is most anyone who has the time and energy to contribute to Firefox is probably involved with one of the forks like Palemoon.
You could try Opera. There's also Comodo Dragon and SWIron, though not everyone trusts those versions either.
What's fashion got to do with it? I want to *use* a computer, not pretend it's a fashion show.
Now look at the entitlements for that process. It runs without any sandboxing. A crash in the plugin won't crash the browser, but a compromise of that plugin will give enough privileges to attach a debugger to the main process (on OS X the system will prompt for this, because it looks suspicious, but it can still open arbitrary network connections and read every file in your home directory). Reliability and security often have similar mechanisms, but don't confuse one for the other.
I am TheRaven on Soylent News
But the People DO send negative feedback. Why do they take the efford? Because they are fucking annoyed by firefox.
One of the main reasons Firefox failed so hard at pwn2own in 2014 was that they didnt and still dont (yet) have a way to sandbox tabs. They are working on it now and it sadly wont be in the stable channel til after pwn2own. I would be very interested how firefox compares to security in 2017 to chrome when it has had a chance to develop e10 some more
The problem wasn't his beliefs, but him funding an organisation which sought to deny basic human rights to others. Phrasing it the way you did shows one of two things: Either you are ignorant of what actually happened, or you don't care about that and are trying to make some sort of political point while deceiving people.
Yes.
(I use KDE)
Eat the rich.
January 19, 2016.
Source: https://support.apple.com/en-u...