Really? All Mozilla has to do is keep a list of the installed plugins, which is then hashed to create a signature.
And where is the correct hash stored? Ah, yes, in a filesystem which is writable by the malicious installer with root privileges.
So, when the malicious software clobbers the public key and re-signs all the plugins, what happens when FireFox uses the private key to check the signatures?
In the context of digital signatures, it is the private key that is used to create the signature and the public key that is used to verify it.
When Firefox checks the signatures it finds that they are correct, because the malicious installer has generated a key pair, signed all the plugins (including the undesirable one) with the private key, and overwritten Firefox's verifying key with the public key.
The only thing that Firefox could do to prevent this sort of attack would be to encrypt the public key used to verify the integrity of the plugin list with a password supplied by the user every time he/she started Firefox. From the user's perspective, this is no different than encrypting the trusted plugin list with a symmetric cipher and asking for a password on each start and to edit the trusted plugin list.
So the installer is going to start and run until the user inputs which password where?
No trusted plugin list == make all plugins trusted? That is even more stupid than not having any plugin security at all.
Patch which executable to show a bogus password prompt? Firefox?
If Firefox asked for a password on every start as described above, a malicious installer could wait for firefox.exe to appear in the process list, then keylog the password and perform the aforementioned attack.
Or, it could simply overwrite firefox.exe with a patched version that assumes all plugins are trusted and throws up a bogus password prompt so the user doesn't suspect anything.
And, why would a user have to put up with a password prompt every time they opened their browser? They would only have to do enter a password to add a plugin or if there was a change to the trusted plugin list.
See above.
You can try to defend them all you want, but the end result is the same. Mozilla could easily prevent this, but they would rather claim the issue is not with their security but rather with what other companies are doing because of their lack of security.
Everyone used to slam MS for blaming hackers for it's security problems. But, when it is Mozilla blaming people taking advantage of poor security in Firefox, it is fine. That is hypocrisy in action.
The best Mozilla could do is to store Firefox and all of its plugins in an encrypted container that is decrypted in memory with a password the user enters every time Firefox starts. A manual implementation of this method is standard when browser security is paramount (hacking the DoD, legitimately accessing the DoD, uploading child porography, etc.). A browser is stored inside an encrypted container which is mounted read-only.
If the unwanted plugin is installed by an entity that claims to be a legitimate company, any of the discussed measures should allow Mozilla to sue their pants off under the circumvention provisions of the DMCA.
The fact of the matter is that SOP for installing software on Windows involves running untrusted code with superuser privileges. There's a lot of good Windows-exclusive software, but frankly, that's fucking ridiculous.
The sensible format would be a LZMA archive with a header containing the name of the software in unicode. A trusted program running with superuser privileges (let's call it a 'package manager') would create \Program Files\$name_of_software\ and $home\AppData\$name_of_software for each user, and extract the archive into \Program Files\$name_of_software\. The installed program would then only be allowed to al
It's not a Firefox security issue. It's an OS security issue. The problem is that installers are routinely given root privileges. There is absolutely nothing Mozilla can do about a third party program rampaging through the file system.
Asymmetric encryption? A malicious installer can clobber the public key and re-sign all plugins with its own key.
Symmetric encryption? A malicious installer can wait for the user to input the password, or clobber the encrypted trusted plugins list (making the assumption that all installed plugins are set as trusted) and patch the executable to show a bogus password prompt. That's a substantially smaller attack surface, but how many users would put up with a password prompt every time they opened their browser?
Record yourself speaking. Transcribe it. Then compare that to something you have written. If you don't notice the difference you are either remarkably eloquent or shockingly illiterate.
Have you actually used a voice operated dialer? They're slow, inaccurate, and conspicuous. Address book autocomplete is better in pretty much any area you can think of.
Work done also scales linearly with clock speed. Reducing clock speed is beneficial only so far as it allows the CPU to run at lower voltage. Modern CPUs are generally pretty good with C1_power/C0_power, but there is room for improvement. I contend that the key to reducing power consumption is to reduce unnecessary wakeups. These statistics can be viewed in Linux with the powertop utility.
Why is it in our collective interests? What benefit is there to be had from the continuation of the species, aside from the satisfaction of our individual instincts? It would be neat if humanity became a galactic empire, but it would not be an inherently superior condition to what we have now. More people are not necessarily better.
If I see a bad jpeg processor that takes 20 seconds to rotate an image, then I will never buy anything from that software house or it's parent company. If they can't hire a decent SSE assembly programmer, they don't deserve my money.
However, if you vectorize the algorithm to make it render faster, the compiler is lying FOR the shitty company and their shitty software by making it appear to be well crafted code.
No offense, but I took the liberty of mending your statement.
Slashdot Mirror
And all your apps have to run on a chip with 700 mW TDP. No thanks.
key.m0zi11a.org
Off the top of my head, I can think of three: Nautilus, Windows Explorer, and Thunar.
Where else would it be stored, aside from the user's mind?
Really? All Mozilla has to do is keep a list of the installed plugins, which is then hashed to create a signature.
And where is the correct hash stored? Ah, yes, in a filesystem which is writable by the malicious installer with root privileges.
So, when the malicious software clobbers the public key and re-signs all the plugins, what happens when FireFox uses the private key to check the signatures?
In the context of digital signatures, it is the private key that is used to create the signature and the public key that is used to verify it.
When Firefox checks the signatures it finds that they are correct, because the malicious installer has generated a key pair, signed all the plugins (including the undesirable one) with the private key, and overwritten Firefox's verifying key with the public key.
The only thing that Firefox could do to prevent this sort of attack would be to encrypt the public key used to verify the integrity of the plugin list with a password supplied by the user every time he/she started Firefox. From the user's perspective, this is no different than encrypting the trusted plugin list with a symmetric cipher and asking for a password on each start and to edit the trusted plugin list.
So the installer is going to start and run until the user inputs which password where? No trusted plugin list == make all plugins trusted? That is even more stupid than not having any plugin security at all. Patch which executable to show a bogus password prompt? Firefox?
If Firefox asked for a password on every start as described above, a malicious installer could wait for firefox.exe to appear in the process list, then keylog the password and perform the aforementioned attack.
Or, it could simply overwrite firefox.exe with a patched version that assumes all plugins are trusted and throws up a bogus password prompt so the user doesn't suspect anything.
And, why would a user have to put up with a password prompt every time they opened their browser? They would only have to do enter a password to add a plugin or if there was a change to the trusted plugin list.
See above.
You can try to defend them all you want, but the end result is the same. Mozilla could easily prevent this, but they would rather claim the issue is not with their security but rather with what other companies are doing because of their lack of security. Everyone used to slam MS for blaming hackers for it's security problems. But, when it is Mozilla blaming people taking advantage of poor security in Firefox, it is fine. That is hypocrisy in action.
The best Mozilla could do is to store Firefox and all of its plugins in an encrypted container that is decrypted in memory with a password the user enters every time Firefox starts. A manual implementation of this method is standard when browser security is paramount (hacking the DoD, legitimately accessing the DoD, uploading child porography, etc.). A browser is stored inside an encrypted container which is mounted read-only.
If the unwanted plugin is installed by an entity that claims to be a legitimate company, any of the discussed measures should allow Mozilla to sue their pants off under the circumvention provisions of the DMCA.
The fact of the matter is that SOP for installing software on Windows involves running untrusted code with superuser privileges. There's a lot of good Windows-exclusive software, but frankly, that's fucking ridiculous.
The sensible format would be a LZMA archive with a header containing the name of the software in unicode. A trusted program running with superuser privileges (let's call it a 'package manager') would create \Program Files\$name_of_software\ and $home\AppData\$name_of_software for each user, and extract the archive into \Program Files\$name_of_software\. The installed program would then only be allowed to al
The homeowner, who was justified, and the dead man, who cannot be charged.
It's not a Firefox security issue. It's an OS security issue. The problem is that installers are routinely given root privileges. There is absolutely nothing Mozilla can do about a third party program rampaging through the file system.
Asymmetric encryption? A malicious installer can clobber the public key and re-sign all plugins with its own key.
Symmetric encryption? A malicious installer can wait for the user to input the password, or clobber the encrypted trusted plugins list (making the assumption that all installed plugins are set as trusted) and patch the executable to show a bogus password prompt. That's a substantially smaller attack surface, but how many users would put up with a password prompt every time they opened their browser?
Dammit dude. Blow the dust out of your case.
Record yourself speaking. Transcribe it. Then compare that to something you have written. If you don't notice the difference you are either remarkably eloquent or shockingly illiterate.
You just used the words 'Intel', 'GPU', and 'performance' in the same post. Clearly, you have gone wrong somewhere.
Have you actually used a voice operated dialer? They're slow, inaccurate, and conspicuous. Address book autocomplete is better in pretty much any area you can think of.
You have provided an excellent demonstration of the first law of Murphy.
Work done also scales linearly with clock speed. Reducing clock speed is beneficial only so far as it allows the CPU to run at lower voltage. Modern CPUs are generally pretty good with C1_power/C0_power, but there is room for improvement. I contend that the key to reducing power consumption is to reduce unnecessary wakeups. These statistics can be viewed in Linux with the powertop utility.
Why is it in our collective interests? What benefit is there to be had from the continuation of the species, aside from the satisfaction of our individual instincts? It would be neat if humanity became a galactic empire, but it would not be an inherently superior condition to what we have now. More people are not necessarily better.
Make your password one character longer instead. Then you get to keep you password 36 times as long!
In the year 2010, why would anyone pay for pornography, copyrighted or otherwise? Anyone still on this business model is a chapter 11 walking.
A yo-yo works fine too, and you might even already have one.
No offense, but I took the liberty of mending your statement.
Surface area (and thus drag) increases as the square of the dimensions.
Cargo capacity increases as the cube of the dimensions.
Ships are fucking humongous. The same argument can be applied to zeppelins.
No, if you took a big steaming dump on his desk, that would definitely be art.
Make that two dozen and one.
Kill it with fire.
Take a look at Article 29 of that there treaty.
If he lives in the same area I do, the 'metroplex' is the cities of Dallas and Fort Worth, Texas, plus the surrounding suburbs and exurbs.
If that means I can get 3-phase service to my house, I for one welcome our new environmentally friendly overlords.