On 2015-11-28 8:28 PM, Mike Hoye wrote:
On 2015-11-28 2:40 PM, Eric Rescorla wrote:
How odd that your e-mail was in response to mine, then.
Thanks, super helpful, really moved the discussion forward, high five.
To Ehsan's point that "malicious code here might look like this:
console.log("success"); [and] It's impossible to tell by looking at the
code whether that line prints a success message on the console, or
something entirely different, such as running calc.exe." - that's true,
but it also looks a lot like the sort of problem antivirus vendors have
been dealing with for a long time now. Turing completeness is a thing,
the halting problem exists and monsters are real, sure, but that doesn't
mean having antivirus software is a waste of time that solves no
problems and protects nobody.
As others have pointed, your antivirus analogy is really irrelevant
here. Also, may I suggest that starting to say things such as "Turing
completeness is a thing... and monsters are real" in the discussion
related to an actual security issue trivializes the discussion to a
point where important issues will get ignored, as I've seen happen a few
times before in this thread?
One key claim Stillman made, that " A system that takes five minutes to
circumvent does not “raise the bar” in any real way", is perhaps true in
an academic sense, but not in a practical one. We know a lot more than
we did a decade ago about the nature of malicious online actors, and one
of the things we know for a fact is the great majority of malicious
actors on the 'net are - precisely as Jorge asserts - lazy, and that
minor speedbumps - sometimes as little as a couple of extra clicks - are
an effective barrier to people who are doing whatever it is they're
about to do because they're bored and it's easy. And that's most of them.
I agree with Jonas about this. Even if all of the malware we have seen
on AMO so far have been stuff done by script kiddies, the right way to
think about this is "maybe we've not seen the more sophisticated ones."
It would be terrible to base the security of our add-on ecosystem on
assumptions about the laziness of the malicious actors.
(Also, anecdotally, some of the exploit code against Firefox from web
pages that I have seen myself is among the most sophisticated code and
tricks I've seen in my career so far.)
Any semicompetent locksmith can walk through your locked front door
without breaking stride, but you lock it anyway because keeping out
badly-raised teenagers is not "security theater", it's sensible,
cost-effective risk management.
Please see my reply to Gavin on Friday? To fit the status quo with this
analogy, we're currently copying keys to our front door to strangers
that successfully fill out a questionnaire.
Cheers,
Ehsan
_______________________________________________
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform
