On 11/28/15 8:28 PM, Mike Hoye wrote:
To Ehsan's point that "malicious code here might look like this:
console.log("success"); [and] It's impossible to tell by looking at
the code whether that line prints a success message on the console, or
something entirely different, such as running calc.exe." - that's
true, but it also looks a lot like the sort of problem antivirus
vendors have been dealing with for a long time now. Turing
completeness is a thing, the halting problem exists and monsters are
real, sure, but that doesn't mean having antivirus software is a waste
of time that solves no problems and protects nobody.
You can block known malware signatures with the scanner if you think
that's a good use of time. But that doesn't require blocking valid APIs
and patterns that have legitimate uses. That's what we're discussing
here. AV software doesn't result in long delays in legitimate software
updates so that AV vendors can manually review software.
One key claim Stillman made, that " A system that takes five minutes
to circumvent does not “raise the bar” in any real way", is perhaps
true in an academic sense, but not in a practical one. We know a lot
more than we did a decade ago about the nature of malicious online
actors, and one of the things we know for a fact is the great majority
of malicious actors on the 'net are - precisely as Jorge asserts -
lazy, and that minor speedbumps - sometimes as little as a couple of
extra clicks - are an effective barrier to people who are doing
whatever it is they're about to do because they're bored and it's
easy. And that's most of them.
Any semicompetent locksmith can walk through your locked front door
without breaking stride, but you lock it anyway because keeping out
badly-raised teenagers is not "security theater", it's sensible,
cost-effective risk management.
I just don't see how this argument makes any sense.
First, we're not talking about locksmiths. We're talking about people
who know how to turn doorknobs. Any JS developer is able to do this sort
of obfuscation in a minute or two.
But here's the point: just setting up the skeleton extension for my PoC
took longer than writing the examples. Actually writing any malicious
code certainly would take longer. And surely if they're as lazy as you
suggest, they're not going to bother creating a dummy extension,
creating an account, submitting it for an initial manual review (as I
suggest in my post), waiting days for approval, and adding in the
malicious code, only to then decide to go eat some Cheez-Its instead of
spending another minute modifying the code to pass the automated
scanner. Do you honestly believe that?
Even if you do — which seems crazy to me — the relevant question is
whether it's worth delaying legitimate extension updates for days at a
time and possibly driving developers away from the platform (as in the
case of Zotero) in the name of blocking that incomprehensible level of
laziness. Do you think it is?
And even if we somehow don't agree on any of that, surely we can agree
that someone who bought off or compromised a legitimate extension
developer (or was the developer to begin with) would be willing to put
in that extra minute?
_______________________________________________
dev-platform mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-platform
