Shamar's recent activity

  1. Comment on Undetectable Remote Arbitrary Code Execution Attacks through JavaScript and HTTP headers trickery in ~comp

    Shamar Link Parent
    And I guess this is a constructive counter point, isn't it? Please find in this thread an alternative constructive proposal to mitigate the vulnerability. One single alternative proposal posted...

    And I guess this is a constructive counter point, isn't it?

    Please find in this thread an alternative constructive proposal to mitigate the vulnerability.

    One single alternative proposal posted before this comment.

  2. Comment on Undetectable Remote Arbitrary Code Execution Attacks through JavaScript and HTTP headers trickery in ~comp

    Shamar Link Parent
    What's not clear about the HTTP Cache control part of the bug report. Or maybe I mispelled "undetectable"? Now you will say that this is an uncostructive answer to your totally constructive...

    What's not clear about the HTTP Cache control part of the bug report.
    Or maybe I mispelled "undetectable"?

    Now you will say that this is an uncostructive answer to your totally constructive comment.
    I don't know what to do with this attitude.

    But note, by talking about how these attacks can be used against people beyond "you" and how such third party attacks could severely affect your life too, I was not trying to spread FUD: these attacks are likely to happen.

    Indeed instead of saying they cannot, you are just basically saying I'm a fool.
    I don’t care much, really.

    But if you can prove such attacks are not possible please do it. ;-)

  3. Comment on Undetectable Remote Arbitrary Code Execution Attacks through JavaScript and HTTP headers trickery in ~comp

    Shamar Link Parent
    The linked PoC shows how to access the open ports on your machines and how to access the webservices that your machine can access. Despite your firewall or proxy. What's not clear about them?

    The linked PoC shows how to access the open ports on your machines and how to access the webservices that your machine can access. Despite your firewall or proxy.

    What's not clear about them?

  4. Comment on Undetectable Remote Arbitrary Code Execution Attacks through JavaScript and HTTP headers trickery in ~comp

    Shamar Link Parent
    Mm... I appreciate the frankness. I think there is some language barrier here or something, as I carefully try to stay polite and focused on the matter. Fine. Can you please open another report...

    Mm... I appreciate the frankness.

    I think there is some language barrier here or something, as I carefully try to stay polite and focused on the matter.

    Fine.
    Can you please open another report where this issue can be discussed in a more effective way?
    Use your words and style. Really... I don't know how to write it more clearly so it's pointless to try again.

  5. Comment on Undetectable Remote Arbitrary Code Execution Attacks through JavaScript and HTTP headers trickery in ~comp

    Shamar (edited ) Link Parent
    A doctor is not a security expert. Nor is a private banker. Do you really think all companies, all over the world, spent the money required to train all of their emplyees about the risks for their...

    A doctor is not a security expert. Nor is a private banker.
    Do you really think all companies, all over the world, spent the money required to train all of their emplyees about the risks for their customers when they read an apparently harmless text article over the Web?

    In any case, these are just some of the possible attacks.

    Do you like to stay vulnerable? Fine!

    Do you want other people to stay unaware AND vulnerable? Be honest and tell them.

  6. Comment on Undetectable Remote Arbitrary Code Execution Attacks through JavaScript and HTTP headers trickery in ~comp

    Shamar Link Parent
    This is the kind of arguments that people debating the qualities of JavaScript as a language would propose. I'm talking about a severe security issue that you say exists! In the number of people...

    "Javascript can be used to stab users in the back. How do we fix it without breaking it?"

    This is the kind of arguments that people debating the qualities of JavaScript as a language would propose.
    I'm talking about a severe security issue that you say exists!
    In the number of people affected, it's equivalent to Meltdown.
    But not being an hardware issue, it could have been already fixed.

    The solutions you propose will break the internet as it exists today.

    Diff, please note that I didn't proposed any mitigation until asked for solutions.
    I just reported the vulnerability describing the attacks.
    If you (or Mozilla) have other effective mitigations to propose (or implement) you are totally welcome to!

    The only thing that I cannot understand as a developer myself is closing the issue pointing to a forum and never tring to address the attacks! They didn't dared to negate the attacks, they are just leaving users vulnerable!

    If you actually want anything fixed like you say you do, you need to work in ways that go with the grain.

    I'm just trying to inform people.
    The fact that informing people is fought (here like elsewhere) is not a good sign about our field, don't you think?

    If the bug report is "not technically wrong", if people are vulnerable to these attacks, those who write that broken code (and those broken Standards) should find the proper way to mitigate the risks.

    Not me.

  7. Comment on Undetectable Remote Arbitrary Code Execution Attacks through JavaScript and HTTP headers trickery in ~comp

    Shamar Link Parent
    You didn't answer.

    You didn't answer.

  8. Comment on Undetectable Remote Arbitrary Code Execution Attacks through JavaScript and HTTP headers trickery in ~comp

    Shamar (edited ) Link Parent
    You didn't say anything about the issue, you just talked about "methods" and how "diplomacy matters". If you have any question on how these attacks can be performed, I'm glad to help. Fun fact:...

    you have no intention of engaging in a good faith discussion of this issue [...]

    You didn't say anything about the issue, you just talked about "methods" and how "diplomacy matters".
    If you have any question on how these attacks can be performed, I'm glad to help.

    this sort of antagonistic behavior that seems to be the norm among anti-JavaScript advocates

    Fun fact: I'm a JavaScript programmer myself.
    And this issue is not only about JavaScript: any Rust program compiled to WebAssembly and distributed over the Web would expose the visitors to the exact same attacks (but made worse by the compiler's optimization).

    Good luck with your cause.

    Thanks, but it's not "my cause". Really!
    It's just a severe security vulnerability affecting billions of people and organizations.

  9. Comment on Undetectable Remote Arbitrary Code Execution Attacks through JavaScript and HTTP headers trickery in ~comp

    Shamar Link Parent
    For these specific attacks, the sensitive data in their browsing PC are totally irrelevant. They just need to connect through their DMZ network with their smartphone.

    For these specific attacks, the sensitive data in their browsing PC are totally irrelevant.

    They just need to connect through their DMZ network with their smartphone.

  10. Comment on Undetectable Remote Arbitrary Code Execution Attacks through JavaScript and HTTP headers trickery in ~comp

    Shamar Link Parent
    Just like I don't care about being defined a troll on internet, I don't care about having a point. I just care about these issues been fixed and people being informed. From the very beginning....

    you have a point, yes, and people recognize that

    Just like I don't care about being defined a troll on internet, I don't care about having a point.

    I just care about these issues been fixed and people being informed. From the very beginning.

    assuming you're operating in good faith

    What could I gain from this?
    What could Mozilla lose from this?
    What JS developers (like I am) are afraid to lose from this?

    I think the answers to these questions explain pretty well who is in good faith and who is not.

  11. Comment on Undetectable Remote Arbitrary Code Execution Attacks through JavaScript and HTTP headers trickery in ~comp

    Shamar Link Parent
    Thanks for your suggestion, but it's not an uphill battle. It's not a battle at all. Not for me. I just want to inform people they are vulnerable to these undetectable attacks. And that the...

    Thanks for your suggestion, but it's not an uphill battle.
    It's not a battle at all. Not for me.

    I just want to inform people they are vulnerable to these undetectable attacks.
    And that the organizations they trust omit to inform them about such attacks.
    And that such organizations don't want to mitigate the risks.
    Despite the mitigations are relatively simple and cheap.

    Simply stating the Truth is not a battle.

  12. Comment on Undetectable Remote Arbitrary Code Execution Attacks through JavaScript and HTTP headers trickery in ~comp

    Shamar Link Parent
    Fine. But is having all these wonderful technologies that let remote sites manipulate any user experience worth the risk of your private banker's computer being compromised? What about your doctor?

    Is having all these wonderful technologies that let remote sites manipulate my experience worth the risk of my computer being compromised?

    IMO, yes... unequivocally yes.

    Fine.
    But is having all these wonderful technologies that let remote sites manipulate any user experience worth the risk of your private banker's computer being compromised? What about your doctor?

  13. Comment on Undetectable Remote Arbitrary Code Execution Attacks through JavaScript and HTTP headers trickery in ~comp

    Shamar Link Parent
    Yes, but TLS 1.3 was not a bug fix. What I proposed would fix a severe security vulnerability that affects 90% of users. Maybe there are better fix, but it's something that fix not break. Well......

    everyone agreed breaking 1% of requests was huge

    Yes, but TLS 1.3 was not a bug fix.
    What I proposed would fix a severe security vulnerability that affects 90% of users.
    Maybe there are better fix, but it's something that fix not break.

    you know nobody is going to pick you up on this

    Well... actually a few people are moving in the underground... ;-)

  14. Comment on Undetectable Remote Arbitrary Code Execution Attacks through JavaScript and HTTP headers trickery in ~comp

    Shamar Link Parent
    Out of curiosity, do you think a dangling pointer is a risk or a bug? That's true for the specified parts. Do you really think that bugs happen only in the parts covered by a specification? :-)...

    As a software developer you should then be aware that a risk is not a bug.

    Out of curiosity, do you think a dangling pointer is a risk or a bug?

    A bug is a problem with software not performing as expected when compared to the specification.

    That's true for the specified parts.
    Do you really think that bugs happen only in the parts covered by a specification? :-)

    Would you leave your users vulnerable just because no line in the "standards" you (wrote and) implemented say that you have to protect them?

    No, I would not. I would go through the correct channels, noting the risk and filing a change request, pointing out the issues.

    And meanwhile you leave your user vulnerable to these attacks.

    Do you have an idea of the time required to get a new standard approved by W3C?
    And, again, you cannot get a standard approved by WHATWG without an implementation working.

    You can do the same, and I strongly encourage it!

    I'd say it's a bit naive of an expectation, but I'm very happy if you are going to try it yourself!

  15. Comment on Undetectable Remote Arbitrary Code Execution Attacks through JavaScript and HTTP headers trickery in ~comp

    Shamar Link Parent
    So, according to you the problem is me asking 3 or 4 times this question, not Mozilla Security NOT responding. (in the thread they suggested to discuss the issue)

    So, according to you the problem is me asking 3 or 4 times this question, not Mozilla Security NOT responding.
    (in the thread they suggested to discuss the issue)

  16. Comment on Undetectable Remote Arbitrary Code Execution Attacks through JavaScript and HTTP headers trickery in ~comp

    Shamar Link Parent
    Hi Nephrited, web developer by profession (including JS) here too. To me, if the people using my software are vulnerable to such wide class of undetectable attacks, it's a bug. Would you leave...

    Different person, hello!

    Hi Nephrited, web developer by profession (including JS) here too.

    You are correct that there is no line in the web standard that requires a browser to enable JS execution by default. However, there is also no line that requires any browser to disable JS execution by default. This is, by definition, not a bug!

    To me, if the people using my software are vulnerable to such wide class of undetectable attacks, it's a bug.

    Would you leave your users vulnerable just because no line in the "standards" you (wrote and) implemented say that you have to protect them?

  17. Comment on Undetectable Remote Arbitrary Code Execution Attacks through JavaScript and HTTP headers trickery in ~comp

    Shamar Link Parent
    Well... thanks for your opinion! :-D I hope others will go through the comments to see if you are right or not. Anyway you are wrong on something: nobody from Mozilla said "Firefox users are...

    Well... thanks for your opinion! :-D
    I hope others will go through the comments to see if you are right or not.

    Anyway you are wrong on something: nobody from Mozilla said "Firefox users are vulnerable to these attacks, but there are trade-offs that we value more than their security".

    Ultimately I just asked: "Are Firefox users vulnerable to this wide class of undetectable attacks?".
    Is this "antagonistic behaviour" to you?

  18. Comment on Undetectable Remote Arbitrary Code Execution Attacks through JavaScript and HTTP headers trickery in ~comp

    Shamar (edited ) Link Parent
    I guess you don't know much about the "wide-reaching internet standards" you are talking about. I opened a bug report because these are Living Standards that follow the implementations. To fix...

    I guess you don't know much about the "wide-reaching internet standards" you are talking about.

    I opened a bug report because these are Living Standards that follow the implementations.
    To fix these "Standards" you need to fix at least one implementation before.

    Also, I challenge you to find a line in the Standards we are talking about stating that JavaScript cannot be OPT-IN on a per website basis.

    Guess what?
    You don't need to violate any WHATWG's standard to implement these mitigations.

  19. Comment on Undetectable Remote Arbitrary Code Execution Attacks through JavaScript and HTTP headers trickery in ~comp

    Shamar Link Parent
    Hi Diff, did we talked before? Yes, there is: "Constant antagonstic behavior and no hope for improvement". You are welcome to read my posts and comments there to see how antagonistic I was (some...

    Oh it's you again.

    Hi Diff, did we talked before?

    Dude, you're not gonna win anyone over like this, there's a reason you were banned from Lobsters.

    Yes, there is: "Constant antagonstic behavior and no hope for improvement".
    You are welcome to read my posts and comments there to see how antagonistic I was (some of the censored comments are readable here).

    But note: blaming me for this attacks is a bit pointless.

    Cut the dramatics, come at the issue from a sane angle.

    Hum... to me, the bug report was clear, descriptive and only mention technical stuffs that can be verified.
    If you think the reactions were insane, why you tell me to change angle?

    Please. I like the idea but you are killing it.

    If so, please: help informing people.
    If you agree that these attacks are possible, informing people can't harm.
    If you think I did a bad work with the bug report, feel free to integrate it. Or to create a new one. Or...

    To my eye is not a matter of how (or who). All it count is

    • informing people, organizations, companies and governments about the attacks they are vulnerable to
    • mitigate such attacks.

    Really: if you can do better than I did, you are welcome!

  20. Comment on Undetectable Remote Arbitrary Code Execution Attacks through JavaScript and HTTP headers trickery in ~comp

    Shamar (edited ) Link Parent
    You mean the way they do with push notifications? ;-) First you raised awareness about the topic, instantly improving the security of users and organisations. Then in less than a year you will get...

    The vast majority of internet users are not technically literate enough to handle script micro-management on all the websites they visit

    You mean the way they do with push notifications? ;-)

    what would you have gained by making it opt-in

    First you raised awareness about the topic, instantly improving the security of users and organisations.

    Then in less than a year you will get a faster and more accessible Web, since the site owners will stop using JavaScript when they don't need to.

    You will also see faster progress on declarative alternatives to JS, such as CSS and new HTML elements.

    Finally, fine grained user interaction wont be so easy to track.

    Cool it on the anti-government, anti-weborgs rhetoric

    Government agencies are affected by these attacks like any other users.

    As for web organisations, I was surprised by Mozilla reactions until somebody pointed me that the vast majority of their budget comes from Google.

    Google that people would probably trust in a opt-in JavaScript world but that would lose precious data collected through Analytics.

    maybe then you can actually win some people to your side

    To be fair, the fact that we need marketing or politics to get such a wide variety of attacks mitigated is dangerous by itself.

    I don’t want to play this game. It is a burden on the credibility of our whole sector.

    And I don't want to win allies, I just want to inform people.