[Owasp-board] OWASP tied to trojaned Firefox Add-on
Matt Tesauro
matt.tesauro at owasp.org
Sun Jul 18 03:30:49 UTC 2010
I have no idea that the ones on the Live CD nor any recommended on the
OWASP site are not trojaned.
I am certain that I never included the "Mozilla Sniffer" Add-on on the
Live CD. That was the one that was recently found to be trojaned.
That's the extent of what I was saying in my previous email.
Considering the fact that there are no MD5 sums to check, no PGP/GPG
signatures to verify, its pretty much impossible to know with confidence
that you're getting "good" or even the right code from FF Add-ons and
any number of other software packages you can download today.
Hopefully the code reviews that Mozilla is putting in place will help -
at least for the FF Add-ons.
As an old school Linux guy, I really like when I get signed packages
with hashes of the downloads. nmap has been doing that for years and I
wish more people would follow that lead.
My 2 cents.
--
-- Matt Tesauro
OWASP Board Member
OWASP Live CD Project Lead
http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project
http://AppSecLive.org - Community and Download site
On 7/17/10 3:45 AM, dinis cruz wrote:
> Matt, how do you know that the ones that are on the LiveCD or
> recomended on the OWASP website don't have similar backdoors?
>
> Dinis Cruz
>
> On 16 Jul 2010, at 21:04, Matt Tesauro<matt.tesauro at owasp.org> wrote:
>
>> Its never been on the Live CD.
>>
>> The ones on the Live CD are listed here:
>> http://mtesauro.com/livecd/index.php?title=Firefox_Add-ons_included
>>
>> HTH
>>
>> --
>> -- Matt Tesauro
>> OWASP Board Member
>> OWASP Live CD Project Lead
>> http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project
>> http://AppSecLive.org - Community and Download site
>>
>> On 7/16/10 11:18 AM, Eoin wrote:
>>> Hi,
>>> Is this on the live cd? If so which version?
>>>
More information about the Owasp-board
mailing list