lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Sun, 31 May 2009 02:38:20 +0100
From: saphex <saphex@...il.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: Is FFSpy a hoax?

I decided not to answer any more, but this as become funny,
registering a e-maill account called ffspybuster? lol you're
definitely creative. Anyway, peace, be good.

On Sat, May 30, 2009 at 8:01 AM, FFSpy Buster <ffspybuster@...il.com> wrote:
> Hi,
>
> I have been watching the discussion on FFSpy since the last few weeks.
> Duarte Silva, the author first posted it here: http://myf00.net/?p=18
>
> He also believes that the addon mechanism of all software is flawed from
> security standpoint. He says that while it is not much of a nuisance in
> other software, it is very much a nuisance in Firefox. The discussion can be
> found here: http://myf00.net/?p=97 (See comments)
>
> He suggests that Firefox must do something to notify the user when an addon
> has been compromised by a remote attacker. He agrees that the remote
> attacker has to gain physical or local access of the system by remotely
> logging in or something. Let us say the attacker ssh-ed or telnet-ed into
> the user's PC and modified an addon. What measures can Firefox take to
> notify the user of the modification?
>
> I can't imagine of any because if it is digital signature or checksum based,
> the attacker can very well modify the public key or the checksum in
> Firefox's store. So, this whole FFSpy thing sounds like a hoax to me, an
> unnecessary panic being created by Duarte Silva. Please correct me, if I am
> wrong.
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ