hackademix.net » Mozilla https://hackademix.net Giorgio Maone’s answers to the Web, the Universe, and Everything Fri, 27 Jan 2017 13:48:32 +0000 http://wordpress.org/?v=2.2.3 en Targeted email attack against (open source?) developers https://hackademix.net/2017/01/27/targeted-email-attack-against-open-source-developers/ https://hackademix.net/2017/01/27/targeted-email-attack-against-open-source-developers/#comments Fri, 27 Jan 2017 12:01:47 +0000 Giorgio https://hackademix.net/2017/01/27/targeted-email-attack-against-open-source-developers/ Second email I've received today (some headers omitted):

Return-Path: <ludv.jani-2015@vrg.se>
Received: from unknown (HELO mail.bsme-mos.ru) (
by ariel.informaction.com with SMTP; 27 Jan 2017 11:25:22 -0000
Received: from unknown (HELO o) (zayavka@bsme-mos.ru@
by mail.bsme-mos.ru with SMTP; 27 Jan 2017 14:25:17 +0300
Subject: question
Date: Fri, 27 Jan 2017 12:25:26 +0100
X-MSMail-Priority: Normal
X-Mailer: Microsoft Windows Live Mail 16.4.3528.331
X-MimeOLE: Produced By Microsoft MimeOLE V16.4.3528.331

This is a multi-part message in MIME format.

Content-Type: multipart/alternative;

Content-Type: text/plain;
Content-Transfer-Encoding: quoted-printable

Hey. I found your software is online. Can you write the code for my proje=
ct? Terms of reference attached below.
The price shall discuss, if you can make. Answer please.

Content-Type: text/html;
Content-Transfer-Encoding: quoted-printable

(HTML omitted)


Content-Type: application/octet-stream;
Content-Transfer-Encoding: base64
Content-Disposition: attachment;

The "PROJECT.gz" file, despite its extension, was actually a RAR archive containing a "PROJECT.doc" MS Word document, presumably with some malicious macro payload (I didn't bother to check).

The earlier one had a "2701.zip" attachment, with a "2701.doc" inside, likely the same as the other one (unfortunately I had not kept it for reference).

Both messages appearing to be hand-crafted, and the reference to today's date in the attachment file name IMHO hint at a focused campaign explicitly targeting targets perceived as "high return investments", such as developers (possibly working on popular / open source projects).

I doubt many of us would fall for this stuff, but I felt a heads up was in order nonetheless ;)


As soon as I published this post I checked my inbox and there was another one...

Update 2

It looked like a VBA marcro malware, indeed. Thanks Ludovic for reminding me of Virustotal.

CrossFUD: an Analysis of Inflated Research and Sloppy Reporting https://hackademix.net/2016/04/08/crossfud-an-analysis-of-inflated-research-and-sloppy-reporting/ https://hackademix.net/2016/04/08/crossfud-an-analysis-of-inflated-research-and-sloppy-reporting/#comments Thu, 07 Apr 2016 22:32:10 +0000 Giorgio https://hackademix.net/2016/04/08/crossfud-an-analysis-of-inflated-research-and-sloppy-reporting/ On April the 7th at 22:53, Aaron wrote:

I just read a Digital Trends article that states NoScript is a security breach. What's the story here???

It's a story of FUD and sensationalism, which got reported in such a careless way that now makes explaining and correcting readers' perception an uphill battle.
They've just demonstrated that rather than invoking a low-level function directly, like any installed add-on could do anyway, a malicious Firefox extension that has already been approved by an AMO code reviewer and manually installed by the user can invoke another add-on that the same user had previously installed and perform the low-level tasks on its behalf, not in order to gain any further privilege but just for obfuscation purposes.

It's like saying that you need to uninstall Microsoft Office immediately because tomorrow you may also install a virus that then can use Word's automation interface to replicate itself, rather than invoking the OS input/output functions directly. Or that, for the same reasons, you must uninstall any Mac OS application which exposes an AppleScript interface.

BTW, if you accept this as an Office or AppleScript vulnerability, Adblock Plus is not less "vulnerable", so to speak, than the other mentioned add-ons, despite what the article states. It's just that those "researchers" were not competent enough to understand how to "exploit" it.

And I'm a bit disappointed of Nick Nguyen who, rather than putting some effort in rebutting this cheap "research", chose the easier path of pitching our new WebExtensions API, whose better insulation and permissions system actually makes this specific scenario less likely and deserves to be praised anyway, but does not and could not prevent the almost infinite other ways to obfuscate malicious intent available to any kind of non-trivial program, be it a Chrome extension, an iOS app or a shell script. Only the trained eye of a code reviewer can mitigate this risk, and even if there's always room for improvement, this is what makes AMO stand out among the crowd of so called "market places".

WebRequest: Where We're, Where We're going https://hackademix.net/2016/03/09/webrequest-where-were-where-were-going/ https://hackademix.net/2016/03/09/webrequest-where-were-where-were-going/#comments Wed, 09 Mar 2016 00:31:37 +0000 Giorgio https://hackademix.net/2016/03/09/webrequest-where-were-where-were-going/ Since last time I wrote about WebExtensions, a lot has been going on: for instance, I used to link a Mozilla Wiki article, and as you can see now I'm linking a full featured MDN entry :)

In the meanwhile, I've been among other things hacking the WebExtensions code itself to make it suitable for eventually porting my own extensions, NoScript and FlashGot, and all those which share similar requirements.

The key WebExtensions API needed by adblockers (one of the most popular browser extensions category), by anti-trackers like Ghostery and, of course, by security add-ons like NoScript, is WebRequest. Its first implementation as a JavaScript module (still the foundation of the current one, which is a thin wrapper over it) even predates WebExtensions themselves: genius e10s hacker Bill McCloskey started it as a brave experiment to see how realistic could have been migrating Adblock/Ghostery/NoScript to the still just rumored "next thing" in add-on development.

Unfortunately, the way this API was originally implemented imposed harsh limitations, both in Chrome compatibility and, more annoyingly, in suitability for the very kind of add-ons it was meant to support. But we've got good news: I've recently landed a couple of patches (after a long time spent away from Mozilla's code repositories), paving the way to the removal of the remaining Chrome incompatibilities and for the addition of new divergent features required by NoScript & Co. which by the way, if ever borrowed in Chromium, could even finally make a NoScript porting on Google's browsers and derivatives possible.

More specifically, Firefox 47 adds:

  • The requestId property in every WebRequest event, allowing listeners to track individual requests across their entire lifecycle (yes, it's incredible we had not implement it yet, and it was the main blocker for Ghostery as a WebExtension).
  • Reliable HTTP headers manipulation - they can be examined, deleted, added or modified both in requests (by onBeforeSendHeaders listeners) and responses (onHeadersReceived) as plain JavaScript arrays of name-value pairs.
  • HTTP response status code and raw status line reporting - without this, it was almost impossible telling the type of a redirection or even whether a request succeeded or failed and how.
  • Coming very soon:

    • The onErrorOccurred event (patch ready, will surely land in 48), also needed by Ghostery.
    • The requestBody property, which allows onBeforeRequest listeners to analyze the payload of POST and PUT requests and is required by NoScript's XSS filter.
    • An "origin" property, which is required not just by many features of NoScript's but also by other add-ons such as RequestPolicy.

    I'm very satisfied with the work done so far, and as soon as the 3 features above are completed, I'm ready to take on other areas where the Chrome extensions API (hence, for obvious reasons, WebExtensions in their present state) are severely lacking, such as script execution control and fine-tuned content blocking, which still prevent NoScript from migrating.

    During the past weeks I've grown intimate with the WebExtensions API source code and familiar enough with the "modern" Firefox development workflow. I'm sure this incoming spring will be a most interesting time, and I'm confident that summer will come with a brand new NoScript, reborn as a WebExtension :)

    ]]> https://hackademix.net/2016/03/09/webrequest-where-were-where-were-going/feed/ WebExtensions FAQ https://hackademix.net/2015/08/26/webextensions-faq/ https://hackademix.net/2015/08/26/webextensions-faq/#comments Tue, 25 Aug 2015 23:36:24 +0000 Giorgio https://hackademix.net/2015/08/26/webextensions-faq/ WebExtensions are making some people happy, some people angry, many people ask questions.
    Some of the answers can be found here, more to come as add-on developers keep discussing this hot topic.
    My favourite one: No, your add-ons' ability and your own creativity won't be limited by the new API.

    WebExtensions API & NoScript https://hackademix.net/2015/08/22/webextensions-api-noscript/ https://hackademix.net/2015/08/22/webextensions-api-noscript/#comments Sat, 22 Aug 2015 07:48:51 +0000 Giorgio https://hackademix.net/2015/08/22/webextensions-api-noscript/ Updated on 28th August 2015

    Many of you have read a certain announcement about the future of Firefox's add-ons and are worried about some extensions, including NoScript, being deeply rooted into those Mozilla's core technologies, such as XPCOM and XUL, which are going to be deprecated.

    Developers and users are also concerned about add-ons being prevented from exploring radically new concepts which would require those "super powers" apparently taken away by the WebExtensions API.

    I'd like to reassure them: Mozilla is investing a lot of resources to ensure that complex and innovative extensions can prosper also in the new Web-centric ecosystem. In fact, as mentioned by Bill McCloskey, at this moment I'm working within Mozilla's Electrolysis team and with other add-on authors, involved in the design of mechanisms and processes helping developers experiment in directions not supported yet by the "official" the WebExtensions API, which is going to be augmented and shaped around their needs and with their contributions.

    I've just published a proposal, tentatively called native.js, to "embrace & extend" the WebExtensions API: all the interested parties are invited to discuss it on discourse.mozilla-community.org.

    28th August 2015 Update

    native.js has been linked in the Web Extensions FAQ and now there's a Bugzilla entry about implementing a native.js prototype (please keep the discussion on Discourse rather than on Bugzilla, though!!!).

    NoScript Does Accept Bitcoin Donations https://hackademix.net/2015/02/06/noscript-does-accept-bitcoin-donations/ https://hackademix.net/2015/02/06/noscript-does-accept-bitcoin-donations/#comments Fri, 06 Feb 2015 15:02:05 +0000 Giorgio https://hackademix.net/2015/02/06/noscript-does-accept-bitcoin-donations/ It just occurred to me that Google did not know about tweets at the time I wrote this one:

    So you want to donate in #bitcoin to help NoScript's development? Now you can, bitcoin:1Kupnx5isBdAJ5ki2BEVF6sBuYmkYigWPU

    Since I routinely receive inquiries from potential bitcoin donors, I hope this post to be easier to find.

    Both Your Cheeks https://hackademix.net/2015/01/16/both-your-cheeks/ https://hackademix.net/2015/01/16/both-your-cheeks/#comments Fri, 16 Jan 2015 17:53:40 +0000 Giorgio https://hackademix.net/2015/01/16/both-your-cheeks/ Pope Punch

    Dear pope Francis,

    Thank you for for this chance to punch your face (both cheeks, the way you christians enjoy best) because your organization routinely defames and insults His Majesty Satan.

    Your friendly neighbourhood satanist

    P.S.: a very good article about this from The Guardian.

    P.P.S.: Yes, I think free thinking, free speech and censorship are very relevant to the Open Web.

    s/http(:\/\/(?:noscript|flashgot|hackademix)\.net)/https\1/ https://hackademix.net/2014/11/20/shttpnoscriptflashgothackademixnethttps1/ https://hackademix.net/2014/11/20/shttpnoscriptflashgothackademixnethttps1/#comments Wed, 19 Nov 2014 23:16:20 +0000 Giorgio https://hackademix.net/2014/11/20/shttpnoscriptflashgothackademixnethttps1/ I'm glad to announce noscript.net, flashgot.net and hackademix.net have been finally switched to full, permanent TLS with HSTS

    Please do expect a smörgåsbord of bugs and bunny funny stuff :)

    Avast, you're kidd... killing me - said NoScript >:( https://hackademix.net/2014/11/19/avast-youre-kidd-killing-me-said-noscript/ https://hackademix.net/2014/11/19/avast-youre-kidd-killing-me-said-noscript/#comments Wed, 19 Nov 2014 13:20:04 +0000 Giorgio https://hackademix.net/2014/11/19/avast-youre-kidd-killing-me-said-noscript/ If NoScript keeps disappearing from your Firefox, Avast! Antivirus is likely the culprit.
    It's gone Berserk and mass-deleting add-ons without a warning.
    I'm currently receiving tons of reports by confused and angry users.
    If the antivirus is dead (as I've been preaching for 7 years), looks like it's not dead enough, yet.

    No Free Professional Service https://hackademix.net/2014/05/13/no-free-professional-service/ https://hackademix.net/2014/05/13/no-free-professional-service/#comments Mon, 12 May 2014 22:32:33 +0000 Giorgio http://hackademix.net/2014/05/13/no-free-professional-service/ This is a real exchange from NoScript “User Reviews” section at AMO, copied here as a memento and a caveat (for NoScript potential “customers”? for free software developers?), since some or all of it may be edited by its authors or deleted by those nasty AMO editors in a near future.

    1. Deception and rude treatment of users

      Rated 1 out of 5 stars
      by JamesOnTheWay on May 12, 2014

      My negative review was deleted; therefore, I no longer have confidence in NoScript or its developer. I was not looking for a bug fix. I was warning potential users away, which is permitted in the review guidelines. I will report this to Mozilla and blog about this treatment. Deleting negative reviews is pure deception!

      NoScript was slowing my Firefox and freezing it, and the worst was in GMail. It became non-functional every time a NoScript update was released, which was often daily. FanMaderWeb reported this same issue on April 9, 2014 and his/her 1-star review was not removed. I removed NoScript, which solved all of those problems. I have since discovered that I had unknowingly been switched to beta versions. Whether this was the cause of all those issues, I will never know; because my review was rudely deleted, as I expect this one will be.

      (no title)

      by FanMaderWeb on April 9, 2014

      Sehr schlecht. Ständig muss das AddOn eingestellt werden bei Seiten, die nur JavaScript oder ähnliches benutzen. Man kann noch nichtmal sein E-Mail-Postfach damit abgreifen!

    2. Non-reproducible (yet) bug report

      by Giorgio Maone (Developer) on May 12, 2014

      Review guidelines don’t allow bug reports because they cannot be discussed and followed up here, since this is not a tracker / forum. Since you’re the only one (at this moment) reporting this issue (out of millions of users), it is likely related to your specific configuration and worth investigating, but you choose to scare other users away instead, which is not a very constructive approach (it doesn’t help other users in your situation, nor the product to improve). This is anyway still a “misplaced bug report”, no matter if you were looking for a fix or not. That’s why yes, this review will likely be deleted again. Notice that I cannot delete any review by myself: this decision is up to AMO’s editorial staff. You can still go ahead and “report this to Mozilla and blog about this treatment” if it makes you feel better, but sharing more details at noscript.net/forum would be the right thing to do for everyone’s benefit.

    3. No Free Professional Services

      Rated 3 out of 5 stars
      by JamesOnTheWay on May 12, 2014

      Maone, I am a retired computer professional. My training began with machine language in 1972. I do not debug other people’s work for free. I was taught to never release a buggy product and that customers are only kept with good customer service. Belittling customers drives us away.

    4. Refund

      by Giorgio Maone (Developer) on May 12, 2014

      Dear “customer”, you’ve got a point. I’ll be happy to fully refund the price of the buggy software you paid for. Then I’ll go back in my cubicle trying to blindly reproduce the problem you (alone, so far) have experienced, but whose details you rightfully refuse to reveal unless paid for this service. Thank you for your business!