Heikki, and to all of course, thanks for your response. I understand that you picked the short straw on that one. When I say "you" below I really mean Mozilla.
I don't particularly think it productive to debate all those points - yours or mine or anyone else's, so I'll try another approach. I'm going to describe the bigger picture in people terms. What's going on here is that there is a team led by Amir Herzberg over at an Israeli security school that's developed a counter for phishing. Now, Amir happens to know a thing or two about security because before that he was an architect for a digital cash project - which is nothing if not security. In digital cash, everything is about security because it's all about money and it's therefore always in the shadow of theft. Both inside and outside theft, which makes it a much more sophisticated view of security. Then there's Tyler Close and Ka-Ping Yee. Now these guys hale from what is called the "capabilities school," which is a forward thinking approach to security in languages, programming, and philosophy. It's a bit like Java but that's like comparing a Tonka toy tank to the real thing. These guys have also brought in some well established security constructs which happen to have mirrored what Amir and his team has done. Then there's Peter Gutmann. He's some sort of crypto security and coding prof over in NZ, but he's also probably one of the world's premier cryptoplumbers. He's personally coded just about every Net crypto thingie in existance, and written dozens of papers, most of them highly critical. As an antipodean, he doesn't really have the gift of the politeness, better called "refreshing directness." Lynn Wheeler is also floating around, and he's someone who probably knows more about this stuff than any other three people alive. Not only that, he is the one person on the planet that I know that might know more about building Internet payment systems than me, which I find difficult to stomach, but that's my cross. He actually knows what governance structures mean, which means he can say *why* we do things, not just what to do. To cope with this he writes in an obscure style that masks what he is really saying, it's a sort of secret rite that if you can read the code, you're mature enough to not immediately slit your wrists in humility and depression at how little you know. Then there's me. I do payment systems. These are systems built to survive persistent attack of both inside and ouside nature. Convenient assumptions in browsing become killers in payment systems, you could imagine it as if every GET is worth money. Payment systems of course directly links to phishing because that's about raiding some of the browser- based systems. Hence the interest. Less said about me the better of course, but the other guys ... these are not slouches. These are serious security people. They come from divergent backgrounds which is to say if they don't talk your talk or walk your walk that's because they are looking at different paths ... but I hope I've established that it is not because they don't know what they are talking about. And, they've all having found themselves here, in Mozilla's security & crypto forum. These people are putting time and effort into phishing. They all happen to know more about phishing than Mozilla does, on the face of it. They are here to find out what Mozilla's plan is, and to help if possible. Just so we're all on the same page here, we are not here to discuss bug fixing, code audits, ActiveX and why Mozo is better than M$ product. Not because these aren't important issues, but because these are obviously under control. Mozilla has these issues under control. Which is good. What is not under control is phishing. This is so not under control that when someone offers a solution for phishing, that someone or that solution is ignored. The solution isn't compared with some other solution, it isn't suggested that maybe they could work on a better one, and they get don't quizzed on why they chose path X not path Y. Nobody says "hey we need to talk to this guy" or maybe "first we need to do XXX to lay the groundwork" or even "you two guys get together and unify your approach." Nobody asks why it is that the solution provider thinks phishing is such a big issue. Nobody asks for an explanation, and nobody says "we can do better." Its ignored, and it's not an isolated case, we know that now, because there are 2 solutions right here and now, and there was one in the past as well **. Make no mistake - all these guys are hanging around here not to make life difficult for anyone, not to get a pat on the head, and not to boost their reputations or their egos by getting endorsement from the all-conquering brand of Mozilla. They're here to help. So when Ping asks "who's in charge," he isn't asking for a statement that there is someone in charge, he's asking for a name, a place, an intro so he can take the discussion to someone who can integrate the complexities across the teams. When I say there isn't a security process, what I'm saying is that in a year and a half of discussions, whatever process there is has not recognised that phishing exists, phishing is a browser problem, and has the potential to become a most serious problem for MoFo once the public wakes up and works out what the tool is in front of them that's asking them to fill in the form and POST their identity to a criminal. This is serious stuff. The figures show 1.2 billion dollars per year of mostly american money. So if Mozilla reaches 10% market share then it can be expecting to look at some number times 120 million dollars of liability - potentially - in a year. If you know where the security process is, then do us all a favour - go find them, and ask them to get on the case. Or tell us where to find them. If they are working on it, then tell them to put up an announcement saying they are working on it. Tell us where the suggestion box is. Or, put up an announcement saying you don't want outside help. If it exists, get it to prove it exists by asking it to say something. Or, recognise where your at and save us all some time. We've been broadcasting this thing on this group for over a year now, so we know that there is no coordinating group, as has been pointed out by Mozilla people here. There is no person who's thinking at the level that is needed to address phishing. No structure that is capable of marshalling the disparate issues and cross-linking them. Because if that existed, it would have made itself plain as day in face of the barrage of emails on this subject in this security forum for the last year &&. There is no shame in saying that Mozilla doesn't know what to do. Let me share with you the complete absence of shame: the top security people in the field do not know what to do. I know this because in the last year or so many of them have a) admitted the existence of phishing, b) said its a serious issue, and c) not said what to do about it. Most are keeping very 'mum' and very careful about it because they are conflicted, because they've worked on and promoted these techs for so long that they can't easily unravel why this is now happening to their babies. Which is another reason why the people that are here to help are all from "outside". Microsoft don't know what to do and neither do Opera. Unlike Microsoft, you do not have regulators that are asking difficult questions. Unlike both you do not have profits to worry about so you really don't care if there is a dip in downloads while you sort out some security issues. Mofo is not a listed company; it will not be crucified by the market. Mofo can tell the truth, words in the press are just that, words. It doesn't have to pander up to the press's hopes and expectations of a grand and righteous battle with Microsoft. Mozilla can set its own agenda. But having said all that, there are some dangers here. The liability issue is serious. If Mofo just ignores it or considers itself A-OK because it does all that other good security stuff, then when and if the users wake up and take Microsoft to the cleaners, Mofo will be sitting there with the same problem. Worse, if we do accept and assert that Mozilla has a security process, then it is one that has decided to do more or less nothing on this issue for the last year or more **. At this stage it is far better to say the truth - you don't know what to do, your security process such as it is isn't up to this task. Then at least Mozilla can get on with building it a-new so it can do something about the problem. iang ** Gervase was mentioned, and it is true - he's done some good stuff and that stuff is what I promote over on the blog. But... excuse me for forgetting that, all I can say is that in the year or more, I'm somewhat underwhelmed. I know it's not him because when he should be writing code he's writing papers that describe the code - so there's some blockage there which limits him to glacial progress. Why is it that Mozilla isn't doing what Peter G said all those months back: "do all that Gerv said?" Whether *he's* being ignored or not, I don't know, but the results aren't exactly a ringing endorsement. They are I would suggest evidence that it doesn't matter who says it, it is what is said. If it's about phishing, it's ignored. && This is why I wrote about the policy of doing security work in secret. That policy is now being used now as a fig leaf to hide the fact that nothing's been done. That's not good policy and now we can all see it. Phishing does not trigger the policy of doing security work in secret because phishing is public knowledge. If you doubt this, check the press. We can probably send you 10 articles per *day* on phishing, just ask. -- Advances in Financial Cryptography: https://www.financialcryptography.com/mt/archives/000458.html _______________________________________________ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
