Archive for the Security Category

OTF-funded security/privacy FLOSS

As the readers of this blog almost surely know, I'm the author of NoScript, a web browser security enhancer which can be installed on Firefox and Chrome, and comes built-in with the Tor Browser.

NoScript has received support by the Open Technology Fund (OTF) for specific development efforts: especially, to make it cross-browser, better internationalized and ultimately serving a wider range of users.

OTF's mission is supporting technology to counter surveillance and censorship by repressive regimes and foster Internet Freedom. One critical and strict requirement, for OTF to fund or otherwise help software projects, is them being licensed as Free/Libre Open Source Software (FLOSS), i.e. their code being publicly available for inspection, modification and reuse by anyone. Among the successful projects funded by OTF, you may know or use Signal, Tor, Let's Encrypt, Tails, QubeOS, Wireshark, OONI, GlobaLeaks, and millions of users all around the world, no matter their political views, trust them because they are FLOSS, making vulnerabilities and even intentionally malicious code harder to hide.

Now this virtuous modus operandi is facing an existential threat, started when the whole OTF leadership has been fired and replaced by Michael Pack, the controversial new CEO of th U.S. Agency for Global Media (USAGM), the agency OTF reports to.

Lobbying documents emerged on the eve of former OTF CEO Libby Liu's defenestration, strongly suggesting this purge preludes a push to de-fund FLOSS, and especially "p2p, privacy-first" tools, in favor of large scale, centralized and possibly proprietary "alternatives": two closed source commercial products are explicitly named among the purportedly best recipients of funding.

Beside the weirdness of seeing "privacy-first" used as a pejorative when talking about technologies protecting journalists and human rights defenders from repressive regimes such as Iran or People's Republic of China (even more now, while the so called "Security Law" is enforced against Hong Kong protesters), I find very alarming the lack of recognition for the radical importance of the tools being open source to be trusted by their users, no matter the country or the fight they're in, when their lives are at risk.

Talking of my own experience (but I'm confident most other successful and effective OTF-funded software projects have similar stories to tell): I've been repeatedly approached by law enforcement representatives from different countries (including PRC) - and also by less "formal" groups - with a mix of allegedly noble reasons, interesting financial incentives and veiled threats, to put ad-hoc backdoors in NoScript. I could deny all such requests not because of any exceptional moral fiber of mine, even though being part of the "OTF community", where the techies who build the tools meet the human rights activists who use them on the field, helped me growing awareness of my responsibilities. I could say "no" just because NoScript being FLOSS made it impractical/suicidal: everyone, looking at the differences in the source code, could spot the backdoor, and I would loose any credibility as a security software developer. NoScript would be forked, in the best case scenario, or dead.

The strict FLOSS requirement is only one of the great features in OTF's transparent, fair, competitive and evidence-based award process, but I believe it's the best assurance we can actually trust our digital freedom tools.

I'm aware of (very few) other organizations and funds adopting similar criteria, and likely managing larger budgets too, especially in Europe: so if USA really decides to give up their leadership in the Internet Freedom space, NoScript and other tools such as Tor, Tails or OONI would still have a door to knock at.

But none of these entities, AFAIK, own OTF's "secret sauce": bringing together technologists and users in a unique, diverse and inclusive community of caring humans, where real and touching stories of oppression and danger are shared in a safe space, and help shape effective technology which can save lives.

So please, do your part to save Internet Freedom, save OTF, save trust.

I'm pleased to announce that, some hours ago, the first public beta of cross-browser NoScript (10.6.1) passed Google's review process and has been published on the chrome web store.
This is a major milestone in NoScript history, started on May the 13th 2005 (next year we will celenbrate our 15th birthday!). NoScript on the chrome web store

Over all these years NoScript has undergone many transformations, porting and migrations:

  • three distinct Android portings (one for Fennec "classic", one for Firefox Mobile, the last as a WebExtension);
  • one partial rewrite, to make it multi-process compatible;
  • one full, long and quite dramatic rewrite, to migrate it to the WebExtensions API (in whose design and implementation Mozilla involved me as a contributor, in order to make this possible).

And finally today we've got an unified code-base compatible both with Firefox and Chromium, and in possibly in future with other browsers supporting the WebExtensions API to a sufficient extent.
One difference Chromium users need to be aware of: on their browser NoScript's XSS filter is currently disabled: at least for the time being they'll have to rely on the browser's built-in "XSS Auditor", which unfortunately over time proved not to be as effective as NoScript's "Injection Checker". The latter could not be ported yet, though, because it requires asynchronous processing of web requests: one of the several capabilities provided to extensions by Firefox only. To be honest, during the "big switch" to the WebExtensions API, which was largely inspired by Chrome, Mozilla involved me in its design and implementation with the explicit goal to ensure that it supported NoScript's use cases as much as possible. Regrettably, the additions and enhancements which resulted from this work have not picked up by Google.

Let me repeat: this is a beta, and I urge early adopters to report issues in the "Support" section of the NoScript Forum, and more development-oriented ones to file technical bug reports and/or contribute patches at the official source code repository. With your help as beta testers, I plan to bless NoScript 11 as a "stable Chromium-compatible release" by the end of June.

I couldn't thank enough the awesome Open Technology Fund folks or the huge support they gave to this project, and to NoScript in general. I'm really excited at the idea that, under the same umbrella, next week Simply Secure will start working on improving NoScript's usability and accessibility. At the same time, integration with the Tor Browser is getting smoother and smoother.

The future of NoScript has never been brigther :)

See also ZDNet's and GHacks' coverage of the announcement.

Second email I've received today (some headers omitted):

Return-Path: <ludv.jani-2015@vrg.se>
Received: from unknown (HELO mail.bsme-mos.ru) (95.163.65.54)
by ariel.informaction.com with SMTP; 27 Jan 2017 11:25:22 -0000
Received: from unknown (HELO o) (zayavka@bsme-mos.ru@94.23.58.202)
by mail.bsme-mos.ru with SMTP; 27 Jan 2017 14:25:17 +0300
Subject: question
Date: Fri, 27 Jan 2017 12:25:26 +0100
X-MSMail-Priority: Normal
X-Mailer: Microsoft Windows Live Mail 16.4.3528.331
X-MimeOLE: Produced By Microsoft MimeOLE V16.4.3528.331

This is a multi-part message in MIME format.

------=_NextPart_000_25F3_01D27898.7064C4E0
Content-Type: multipart/alternative;
boundary="----=_NextPart_001_25F4_01D27898.7064C4E0"

------=_NextPart_001_25F4_01D27898.7064C4E0
Content-Type: text/plain;
charset="windows-1251"
Content-Transfer-Encoding: quoted-printable

Hey. I found your software is online. Can you write the code for my proje=
ct? Terms of reference attached below.
The price shall discuss, if you can make. Answer please.

------=_NextPart_001_25F4_01D27898.7064C4E0
Content-Type: text/html;
charset="windows-1251"
Content-Transfer-Encoding: quoted-printable

(HTML omitted)

------=_NextPart_001_25F4_01D27898.7064C4E0--

------=_NextPart_000_25F3_01D27898.7064C4E0
Content-Type: application/octet-stream;
name="PROJECT.gz"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
filename="PROJECT.gz"
...

The "PROJECT.gz" file, despite its extension, was actually a RAR archive containing a "PROJECT.doc" MS Word document, presumably with some malicious macro payload (I didn't bother to check).

The earlier one had a "2701.zip" attachment, with a "2701.doc" inside, likely the same as the other one (unfortunately I had not kept it for reference).

Both messages appearing to be hand-crafted, and the reference to today's date in the attachment file name IMHO hint at a focused campaign explicitly targeting targets perceived as "high return investments", such as developers (possibly working on popular / open source projects).

I doubt many of us would fall for this stuff, but I felt a heads up was in order nonetheless ;)

Update

As soon as I published this post I checked my inbox and there was another one...

Update 2

It looked like a VBA marcro malware, indeed. Thanks Ludovic for reminding me of Virustotal.

An update from the field by a friend of a friend on the situation in Turkey.
It's hard to believe Erdogan's criminal regime sits practically inside Europe and is a prominent member of NATO.

Today 11 HDP (Peoples’ Democracy Party) parliamentarians were taken into custody. And to-date, 170 media outlets have been banned, 130 journalists in prison, and 30 democratically elected Kurdish Mayors in prison.

Today, the Turkish police took eleven HDP (Peoples’ Democracy Party) parliamentarians, including the co-chairs Selahattin Demirtas and Figen Yuksekdag, into custody in after-midnight raids. The MPs’ houses and the party’s headquarters were raided, doors were broken and the parliamentarians were forcefully detained.

In the past several months, the government has been using the coup attempt on July 15th as an opportunity to consolidate its rule by eliminating every single oppositional voice in the country, especially the HDP, which halted the authoritarian project of a presidential system both in the June and November elections in 2015 by preventing his AKP to win sufficient number of parliamentary seats to make the necessary constitutional changes.

About 30 democratically elected Kurdish mayors are in prison now and about 70 of them have been dismissed by the central government.

The freedom of expression has been almost entirely undermined. With government decrees with the power of law, over 170 media outlets have been banned. More than 130 journalists are in prison, also including some world-renowned authors and intellectuals.

Most recently, two Kurdish news agencies and several Kurdish dailies were closed and the chief-editor, columnists and journalists of the pro-Republican People Party (CHP) daily Cumhuriyet were detained. Many academics are under criminal investigation for signing a peace petition.

Friends from around the globe, these are days when we most need international solidarity.

On April the 7th at 22:53, Aaron wrote:

I just read a Digital Trends article that states NoScript is a security breach. What's the story here???

It's a story of FUD and sensationalism, which got reported in such a careless way that now makes explaining and correcting readers' perception an uphill battle.
They've just demonstrated that rather than invoking a low-level function directly, like any installed add-on could do anyway, a malicious Firefox extension that has already been approved by an AMO code reviewer and manually installed by the user can invoke another add-on that the same user had previously installed and perform the low-level tasks on its behalf, not in order to gain any further privilege but just for obfuscation purposes.

It's like saying that you need to uninstall Microsoft Office immediately because tomorrow you may also install a virus that then can use Word's automation interface to replicate itself, rather than invoking the OS input/output functions directly. Or that, for the same reasons, you must uninstall any Mac OS application which exposes an AppleScript interface.

BTW, if you accept this as an Office or AppleScript vulnerability, Adblock Plus is not less "vulnerable", so to speak, than the other mentioned add-ons, despite what the article states. It's just that those "researchers" were not competent enough to understand how to "exploit" it.

And I'm a bit disappointed of Nick Nguyen who, rather than putting some effort in rebutting this cheap "research", chose the easier path of pitching our new WebExtensions API, whose better insulation and permissions system actually makes this specific scenario less likely and deserves to be praised anyway, but does not and could not prevent the almost infinite other ways to obfuscate malicious intent available to any kind of non-trivial program, be it a Chrome extension, an iOS app or a shell script. Only the trained eye of a code reviewer can mitigate this risk, and even if there's always room for improvement, this is what makes AMO stand out among the crowd of so called "market places".

Bad Behavior has blocked 2018 access attempts in the last 7 days.