On 11/28/15 5:06 AM, Gijs Kruitbosch wrote:
On 27/11/2015 23:46, dstill...@zotero.org wrote:
The issue here is that this new system -- specifically, an automated
scanner sending extensions to manual review -- has been defended by
Jorge's saying, from March when I first brought this up until
yesterday on the hardening bug [1], that he believes the scanner can
"block the majority of malware".
Funny how you omit part of the quote you've listed elsewhere, namely:
"block the majority of malware, but it will never be perfect".
You assert the majority of malware will be 'smarter' than the
validator expects (possibly after initial rejection) and bypass it.
Jorge asserts, from years of experience, that malware authors are lazy
and the validator has already been helpful, in conjunction with manual
review. It's not helpful to say that what Jorge is saying is "not
true" - you mean different things when you say "the majority of malware".
I've addressed this repeatedly. In my view, saying "it will never be
perfect" is a misleading statement that betrays a misunderstanding of
the technical issues. If the system is so trivial to bypass that anyone
with a basic grasp of JavaScript would have to essentially volunteer to
be manually reviewed, the system cannot block malware. Again, malware
that wants to be detected isn't really malware.
The idea that a malware author is going to say, "Oh, man, I was all set
to release this malware and make lots of money, but then the scanner
flagged 'nsIProcess', and 'n'.replace() + 'sIProcess' is just too much
effort, so I guess I'll just give up and go attack users some other way"
is totally absurd. You're really going to defend that claim? You can't
just say, "OK, I guess that argument doesn't really make sense, so maybe
we should reconsider what we're actually trying to block"?
Jorge has been saying he believes the scanner can block most malware
because he genuinely doesn't understand the technical issues here, as
his statements (and his absurd blocklisting of the PoC) make clear. It's
hard not to make this sound like a personal attack,
This is what's so offensive. It's hard to make this not sound like a
personal attack because it *is* a personal attack. What's more,
Jorge's competence or otherwise is irrelevant to the discussion. Your
insistently bringing it up and your condescending attitude towards
Jorge and other Mozilla folks is offensive, unhelpful, and not
constructive in addressing the actual issue at hand. If we were some
nameless corporation you wouldn't even know the name of the person
responsible for the add-ons system, but that wouldn't change its
quality or the validity of its approach one iota.
If the person who's been defending this system for the last year isn't
aware of the technical issues and has been making statements that aren't
borne out by what's technically possible, and I point that out, that's
not a personal attack. It's a relevant data point in understanding how a
bad policy might have been put into place and defended against
criticism. If that person has been the one refusing to implement a
whitelist for extensions like Zotero without understanding that, because
of what I've demonstrated, whitelisted extensions couldn't do anything
that unlisted extensions couldn't, that's relevant to the issue.
Jorge admitted he doesn't understand the PoC, so that's not really up
for debate: "I don't know if we will be able to detect the particular
workarounds implemented in this bypass add-on; I'll leave that to the
dev team to determine and file individual dependencies." [1]
As a sidenote about the blocklisting: without signing being required,
that's the only thing that could actually be done at that time. I
mean, that or close off submissions for all non-AMO-listed frontloaded
add-ons, which presumably would have made you (and many other people)
even more angry. I wasn't involved in the decision, but I don't think
it is "absurd", or that your calling attention to it (in your blogpost
and elsewhere) was anything but sensationalizing the issue.
What? The only thing that could have been done? To accomplish what? It
was a proof of concept, with non-malicious example code hardcoded to
localhost. And the issues in it can't, by definition, be blocked by the
validator, which Jorge didn't understand (as he said himself on the
hardening bug). No one who understood what the PoC was or what it
implied would have blocklisted it, because it makes literally no sense
to do so.
[Dan] says stuff like "And
it's just depressing that the entire Mozilla developer community spent
the last year debating extension signing and having every single
counterargument be dismissed only to end up with a system that is
utterly incapable of actually combating malware."
which basically boils down to an ad-hominem on Mozilla and an
indictment
of "the system" and signing and the add-ons space generally, when
really, all we're talking about right now is how/whether to review
non-AMO-distributed add-ons before signing them. Dan acknowledges
elsewhere in his post that signing has other benefits, but the polemic
tone sure makes it seem like the entire plan we have here is rubbish
from start to finish.
It's the people defending automated scanning as a meaningful
deterrentagainst malware that are failing to make a distinction
between different
parts of the system, not me.
I quoted you in the paragraph above this statement of yours. It is a
matter of English spelling and grammar that your phrasing condemns all
of the signing and review changes. Stop blame-shifting.
OK, I think that's a willful misreading of my post, given how I clearly
explain the parts of extension signing I believe to be valuable, but if
you want me to say that that sentence could have been phrased better to
clarify that I was referring to relying on the automated scanner for
combating "a majority of malware", sure.
I'm not calling for no signing. I'm not calling for no
restrictions. I'm not calling for no review.
You're asking us to remove every bit of the automated review that
prevents you from publishing zotero automatically without a blocking
human review of your codebase.
I don't know how many of those bits there are (ie which bits are
currently getting you dropped into the manual review queue), and how
much would be left, and you have not specified this. If there were
just a few, I assume you would simply have argued against those
specific rules because that would have been a simpler change to make
and convince people of, so I believe the conclusion I drew is reasonable.
In any case, if we left something of the automated review in, chances
are Zotero would just run into the same thing in a future update where
you added some more code that ran into the bit that wasn't problematic
before, right?
I've explained why we feel non-blocking releases are necessary for
Zotero. We've gained people's trust over the last decade by being able
to quickly address issues, and we're not going to jeopardize that. We
haven't said we wouldn't respond to legitimate issues raised by AMO
editors in post-release reviews (which I actually call for in my post).
As for what, if anything, should block release without override, I'm
happy to talk specifics, but we can't have a discussion about that
without even agreeing on the point of the validator, and it seems no one
from Mozilla can even agree on this. Will it "block the majority of
malware" (Jorge)? Is it "not primarily a security measure" (Gavin)? Is
it "an advisory/helpful tool [rather] than something we could use to
automate security validation" (Matt, the author of the validator)?
In my view, if the scanner can be trivially bypassed by malware authors
and is just an advisory tool, there's no justification for blocking
release. It should be seen as a linter, providing conscientious
developers with an opportunity to fix potential (but rarely unambiguous)
issues and flagging them for later review by AMO editors. If AMO editors
feel that developers are ignoring legitimate security issues, they could
temporarily rescind the ability to publish without review. Essentially,
I'm calling for whitelist-by-default.
I'm calling for changing
the parts of the process that provide essentially no additional
protection against malicious code but that are hugely disruptive to
legitimate developers.
This sounds eminently reasonable - but doesn't correspond to the
specific parts of your original post and this reply that I have
referred to before. You could have constructively called out the
automated review requirement for frontloaded, non-AMO-distributed
add-ons in an objective and simple manner. Instead we get a long angry
rant about it, mixed with references to "security theatre" and calling
people incompetent.
I'm sorry you felt it was an angry rant. I believe I provided context,
explained both the merits and flaws of the current system, and provided
detailed, concrete steps for how I think it could improved to be more
consistent with Mozilla's stated goals. But yes, I'm angry that I had to
spend the last three months arguing with people about whitelisting when
it's now clear that whitelisting wouldn't allow anyone to do anything
they couldn't trivially do otherwise.
And yes, using the automated scanner to try to combat malware is, in my
view, security theater: "the practice of investing in countermeasures
intended to provide the feeling of improved security while doing little
or nothing to actually achieve it" [2]. It may be a harsh assessment,
but I don't think it's unfair.
What you have now is a system that is extremely
disruptive to legitimate developers
I will just point out that not all legitimate developers seem to be
struggling as much with it as you do, so I don't know that your
generalization is justified. Struggling with signing, privately-run
add-ons, modifying public add-ons, the overall debate and its
consequences wrt e.g. government surveillance, centralizing a bunch of
infrastructure that used to be distributed - yes. Struggling
specifically with the automated portion of the review system for
frontloaded, non-AMO add-ons... not so much.
I don't know how many extensions are being flagged for manual review,
true. But some certainly are, and for them it's extremely disruptive, to
the point where, in Zotero's case, we've decided that we would need to
cease development rather than be in a position where we couldn't release
timely updates to our users. Given that we now see how useless the
automated scanner is in its stated goal of actually combating malware,
I'm not sure why that wouldn't bother you.
- Dan
[1] https://bugzilla.mozilla.org/show_bug.cgi?id=1227867#c5
[2] https://en.wikipedia.org/wiki/Security_theater
_______________________________________________
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform
