If you're in and you're in Europe, the Middle East, or Africa, there's a great award to recognise an outstanding contributor: the ISLA (Information Security Leadership Award). Nominations close in 2 weeks: abstractscorecard.com/cfp/subm

@paco

I'm not in #InfoSec actually, but I'm in #Europe.

Does disclosing a (probably well known among #BlackHats, but widely overlooked by security people) wide class of #JavaScript undetectable attacks that are trivial to #exploit but easy to mitigate count as an outstanding contribution, of the people who are in charge to address them refuse to do so and the #Russian #Government starts to exploit them in the wide months later?

bugzilla.mozilla.org/show_bug.

Follow

@Shamar That "bug report" basically says "ignore what users want, disable all JavaScript and stop caching." I don't know if you've ever tried using web sites with a web browser configured that way, but it doesn't work. Everything that "bug report" proposes is possible to do in the existing web browsers. And if someone wants to live that way, they can. A "contribution" that everyone in the field ignores is not a contribution.

@paco

I'm not sure you did read the report, actually.

I didn't say disable all JavaScript but to make its execution opt-in as Flash and Java used to be.

Fine, a "contribution" that everybody in the field pretend to misread is not much influential.
And actually, I don't think we can do much with current #IT... except maybe to inform people to not trust us.

jehanne.io/2019/01/06/thought-

@Shamar So all this is over opt-in versus opt-out? Really? That's the big "contribution"?

@paco
No, my biggest contribution to worldwide IT #security is to reveal the worst vulnerability out there: people's #trust in #OpenSource projects like #Mozilla.

Actually, the prize should be shared with the #Russia for building a database of people who could the detect the #JS attacks I described.

Isn't such irony amusing?
Using one of the attacks they turned a "potential threat" into a threat, exposing to the world both the hypocrisy and the incompetence of #Firefox devs.

@Shamar Having read several of your posts about it, I think you need to reorient your worldview. Your current position is that this is such a vulnerability that we should break the web to fix it. Most folks aren't willing to do that, so you think they don't understand it well enough and you try to explain in greater detail. I would assert that it is you who don't understand things well enough. Your only solution is so disruptive and crude that it's binary: break everything or break nothing.

@Shamar You've also had a number of super smart and patient people try really hard to tell you that there is a time and place and method to argue these things. But you take it to extremes and you're not doing your homework. I've read the emails that people wrote you that you posted. I have nothing more to add. Do your homework on how the web works. Propose something more sophisticated than "break everything."

@paco

ROTFL!

I did my homework for roughly 20 years as a #Web developer. Actually so far I'm the most proficient #JavaScript developer in my company.

You don't want to see how the Web is broken?It's totally up to you.

Sell yourself as a #InfoSec expert till someone will enter the #firewall you configured through these attacks. You won't be fired because you can always play the "bad black hat" jolly to cover your error.

Opt-in JS is not even enough!
It's all written there.

@paco

Oh funny!

You are a #Cloud #Security expert at #Amazon!

Sorry I didn't intend to hurt your feelings...

It's just that I care about people, not just about users.

@Shamar Yeah. I read a lot of your stuff. Maybe you don't realise how quickly you start insulting people when you disagree with them. All your word choice is inflammatory. It provokes people. I'm not going to insult you back, but I'm also not going to talk to you any more. It's decidedly unpleasant. If you "care about people" try talking to strangers without insulting them.

@paco

I keep the tone of my comment exactly on par with that of my interlocutors.

If you tell me (once again) to "do my homework" after having spent months to inform people about these attacks BEFORE the Russian Government started to exploit them... well _that_ is "inflammatory".

I didn't insulted you, though.

All I said was rooted by facts: you don't seem to have understood the severity of this issue on a global scale and nobody is informing people!

Where is our #ethics?

Sign in to participate in the conversation
Infosec Exchange

A Mastodon instance for info/cyber security-minded people.