Mozilla Wants To Know How Feds Hacked Firefox

[HardOCP News]

It's kinda funny how none of these companies want to help the government hack people's stuff but the minute the feds do it on their own, they are in court wanting answers.


Today, we filed a brief in an ongoing criminal case asking the court to ensure that, if our code is implicated in a security vulnerability, that the government must disclose the vulnerability to us before it is disclosed to any other party. We aren’t taking sides in the case, but we are on the side of the hundreds of millions of users who could benefit from timely disclosure.

 

[lcpiper]

Is my command of the English language failing me?

The Tor Browser is partially based on our Firefox browser code. Some have speculated, including members of the defense team, that the vulnerability might exist in the portion of the Firefox browser code relied on by the Tor Browser. At this point, no one (including us) outside the government knows what vulnerability was exploited and whether it resides in any of our code base. The judge in this case ordered the government to disclose the vulnerability to the defense team but not to any of the entities that could actually fix the vulnerability. We don’t believe that this makes sense because it doesn’t allow the vulnerability to be fixed before it is more widely disclosed.

See if I am getting these statements correct please.

Mozilla says;

At this point, no one (including us) outside the government knows what vulnerability was exploited and whether it resides in any of our code base.

But then says;

The judge in this case ordered the government to disclose the vulnerability to the defense team ......

And also says;

Some have speculated, including members of the defense team, that the vulnerability might exist in the portion of the Firefox browser code relied on by the Tor Browser.

So the defense team knows, but the defense team doesn't know?

Does that mean the defense team was told but are too ignorant to understand what it is they were told?

It's a bit confusing is it not?

 

[Gman1979]

They're in court over it because the feds are mandated to disclose security holes in a prescribed manner and the FBI has been failing/refusing to hand over the information to the government agency responsible for the disclosures. The FBI is trying to recreate itself as a domestic CIA with extrajudicial powers.

 

[hakstarr]

As a security analyst we are required to inform a company if we discover a bug or security flaw in a product or software. To me the government needs to do the same for ethical reasons alone.

 

[Retronym]

Gee, why do techies view the government in an adversarial role?

 

[Gman1979]

Gee, why do techies view the government in an adversarial role?

In my experience, it was the part where I was trying to get an internship at a certain agency when I was in college and they wanted me to sign a document that essentially read like a "I agree to give up all my civil rights and have my family and friends investigated and spied on as part of the vetting process, oh and we also get to hold you without trial if you're deemed a threat to national security".

 

[spugm1r3]

In my experience, it was the part where I was trying to get an internship at a certain agency when I was in college and they wanted me to sign a document that essentially read like a "I agree to give up all my civil rights and have my family and friends investigated and spied on as part of the vetting process, oh and we also get to hold you without trial if you're deemed a threat to national security".

Hahahaha... I'm going to go out on a limb and guess you never served in the armed forces. I need a shirt that says "I gave up all my rights to serve our country and all I got was the GI Bill and a bad back."

On a serious note, you really only have two options as a tech company:
1) Figure out a way to work together with the government or,
2) Expect the government to get smart enough to not need you to work together.

The government has an agenda to keep America safe. Occasionally, that agenda means ignoring your civil liberties. Look on the bright side, at least with that internship, you had a warning you were going to be thoroughly investigated. Not everyone gets that luxury.

 

[Biznatch]

Hahahaha... I'm going to go out on a limb and guess you never served in the armed forces. I need a shirt that says "I gave up all my rights to serve our country and all I got was the GI Bill and a bad back."

On a serious note, you really only have two options as a tech company:
1) Figure out a way to work together with the government or,
2) Expect the government to get smart enough to not need you to work together.

The government has an agenda to keep America safe. Occasionally, that agenda means ignoring your civil liberties. Look on the bright side, at least with that internship, you had a warning you were going to be thoroughly investigated. Not everyone gets that luxury.

No, the government has the agenda to keep the government safe, under the guise of protecting murica (Think of the children!!!), that almost always means ignoring your civil liberties. But you go ahead and keep drinking that koolaid... Ignorance is bliss.

 

[lcpiper]

They're in court over it because the feds are mandated to disclose security holes in a prescribed manner and the FBI has been failing/refusing to hand over the information to the government agency responsible for the disclosures. The FBI is trying to recreate itself as a domestic CIA with extrajudicial powers.

No, they are not in court over it. they are in court prosecuting a guy and Mozilla is seeing this and approaching the court under the rule of law to make a request of the court. They are not in court over this security flaw or over the FBI's handling of it. That is a side issue relevant to the case as it potentially effects Mozilla. I say potentially because no one has come out and said for sure if the vulnerability is actually in Mozilla's code yet.

 

[lcpiper]

In my experience, it was the part where I was trying to get an internship at a certain agency when I was in college and they wanted me to sign a document that essentially read like a "I agree to give up all my civil rights and have my family and friends investigated and spied on as part of the vetting process, oh and we also get to hold you without trial if you're deemed a threat to national security".

Yep, a little over the top in the explanation but it is similar to what everyone who ever held a clearance must accept. He'll it's worse today actually, today it's more then just an investigation, it's a lifetime of surveillance. Oh, and they don't actually spy on your friends and family but they will come and ask them questions about you and about the things you have volunteered in your SF-86 questionnaire. And you don't actually give up all your civil rights, it's just a couple. It's not nearly what every man and women relinquishes when they sign up for the armed forces so, there are degrees of sacrifice, your choice was yours to make.

I would never fault you for making that choice for yourself.

Hell, all servicemen serve and make their own sacrifices in order to guarantee others the right to make that choice.

It's true, sometimes they are not so selfless in their service. But then again many are, and many have paid quite heavily for their choice to serve. Even more so for those who decades ago were drafted without choice.

 

[lcpiper]

As a security analyst we are required to inform a company if we discover a bug or security flaw in a product or software. To me the government needs to do the same for ethical reasons alone.

That's fine, but realize that as a security analyst, (presumably working for a business or firm), you are not responsible for the defense of the country.

And BTW, when you say that you are required to inform .... required by whom?

 

[M76]

It's kinda funny how none of these companies want to help the government hack people's stuff but the minute the feds do it on their own, they are in court wanting answers.


Today, we filed a brief in an ongoing criminal case asking the court to ensure that, if our code is implicated in a security vulnerability, that the government must disclose the vulnerability to us before it is disclosed to any other party. We aren’t taking sides in the case, but we are on the side of the hundreds of millions of users who could benefit from timely disclosure.

Why is that funny? It's commendable. They don't want to help anyone hack their users. But if someone finds an exploit or a security hole they want to plug it.

 

[lcpiper]

Why is that funny? It's commendable. They don't want to help anyone hack their users. But if someone finds an exploit or a security hole they want to plug it.

I think you missunderstand. I believe Steve's point is that if these companies were working with the government then they would already know about the vulnerabilities.

 

[pxc]

I'll tell how they did it: "With minimal effort."

Firefox is not a secure browser.

 

[athenian200]

But if they have to disclose every single vulnerability they find, won't it eventually get to a point where they won't be able to hack these things anymore? Which would then put the companies in a position to block the government from information, as they've been trying to do.

Everyone in the hacking community knows that you do your best to avoid revealing what exploits you use so as to avoid having them patched out. They're basically trying to force the government to behave like "dumb" hackers that just give away all their secrets to the enemy until they can't hack anything.

 

[Gman1979]

Hahahaha... I'm going to go out on a limb and guess you never served in the armed forces. I need a shirt that says "I gave up all my rights to serve our country and all I got was the GI Bill and a bad back."

On a serious note, you really only have two options as a tech company:
1) Figure out a way to work together with the government or,
2) Expect the government to get smart enough to not need you to work together.

The government has an agenda to keep America safe. Occasionally, that agenda means ignoring your civil liberties. Look on the bright side, at least with that internship, you had a warning you were going to be thoroughly investigated. Not everyone gets that luxury.

You're making quite an assumption there actually. There's a BIG difference between signing away my rights to do work for an agency of questionable character and taking an oath to uphold and defend the very rights I was being asked to surrender. One clearly felt like a better use of my efforts and the suits never once mentioned protecting any of the freedoms they wanted me to surrender.

 

[Semantics]

In my experience, it was the part where I was trying to get an internship at a certain agency when I was in college and they wanted me to sign a document that essentially read like a "I agree to give up all my civil rights and have my family and friends investigated and spied on as part of the vetting process, oh and we also get to hold you without trial if you're deemed a threat to national security".

So just like signing up for the military except with more vetting. Companies would do this to if they could get away with it, well they try so hard to have people sign away rights when possible but they ain't no govt.

 

[spugm1r3]

Gman1979 True, that was a big assumption on my part. But my time in the service left me feeling like the suited services were just different sides of the same dice. Clandestine or not, the end goals were the same, despite the methods. Little tidbits like this one from the Washington Post reaffirm those assumptions.

 

[hakstarr]

That's fine, but realize that as a security analyst, (presumably working for a business or firm), you are not responsible for the defense of the country.

And BTW, when you say that you are required to inform .... required by whom?

There are laws stating we have to disclose vulns. A lot of analyst fear lawsuits. Actually a lot of 3rd party companies are contracted for the "defense of this country" Also using vulnerabilities to access or spy on your own citizens there is a fine line there with "defending the country"

 

[lcpiper]

There are laws stating we have to disclose vulns. A lot of analyst fear lawsuits. Actually a lot of 3rd party companies are contracted for the "defense of this country" Also using vulnerabilities to access or spy on your own citizens there is a fine line there with "defending the country"

You begin by pointing out exactly what I wanted you to say. That it's the government who is saying that private businesses must help disclose these weaknesses. Businesses are not in the business of accessing foreign or enemy computing systems and networks for the purposes of national defense, unless they are Defense Contractors which do by extension of doing Defense related work. It's easier to see this when you also consider all those parts of the government which also must follow these laws. The Depts of Labor, Education, BLM, Food and Drug Administration, Transportation, etc. All of these parts of the government must also divulge software vulnerabilities to the software vendor for patching. Not they these groups are likely to find much. But those entities that do foreign Intelligence work are a different story and you can see why. They actually depend on such things to gain access to information but they do put the vulnerabilities they find under an evaluation process in which they look at several things;

If the vulnerability is patched will they loose the ability to collect on a source and how important is that source.
Does the vulnerability pose a great threat to Government computer systems.
What is the risk to the nation's infrastructure.
Lastly is the risk to the population as a whole.

There are other things that go into this assessment process as well. I know all about those contracted companies. I have worked for many of them over the last 18 years as a defense contractor employee.