Re: Is FFSpy a hoax?

[saphex <saphex () gmail com>]

I decided not to answer any more, but this as become funny,
registering a e-maill account called ffspybuster? lol you're
definitely creative. Anyway, peace, be good.

On Sat, May 30, 2009 at 8:01 AM, FFSpy Buster <ffspybuster () gmail com> wrote:
> Hi,
>
> I have been watching the discussion on FFSpy since the last few weeks.
> Duarte Silva, the author first posted it here: http://myf00.net/?p=18
>
> He also believes that the addon mechanism of all software is flawed from
> security standpoint. He says that while it is not much of a nuisance in
> other software, it is very much a nuisance in Firefox. The discussion can be
> found here: http://myf00.net/?p=97 (See comments)
>
> He suggests that Firefox must do something to notify the user when an addon
> has been compromised by a remote attacker. He agrees that the remote
> attacker has to gain physical or local access of the system by remotely
> logging in or something. Let us say the attacker ssh-ed or telnet-ed into
> the user's PC and modified an addon. What measures can Firefox take to
> notify the user of the modification?
>
> I can't imagine of any because if it is digital signature or checksum based,
> the attacker can very well modify the public key or the checksum in
> Firefox's store. So, this whole FFSpy thing sounds like a hoax to me, an
> unnecessary panic being created by Duarte Silva. Please correct me, if I am
> wrong.
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/