[Owasp-board] OWASP tied to trojaned Firefox Add-on

Matt Tesauro matt.tesauro at owasp.org
Sun Jul 18 03:30:49 UTC 2010


I have no idea that the ones on the Live CD nor any recommended on the 
OWASP site are not trojaned.

I am certain that I never included the "Mozilla Sniffer" Add-on on the 
Live CD.  That was the one that was recently found to be trojaned. 
That's the extent of what I was saying in my previous email.

Considering the fact that there are no MD5 sums to check, no PGP/GPG 
signatures to verify, its pretty much impossible to know with confidence 
that you're getting "good" or even the right code from FF Add-ons and 
any number of other software packages you can download today.

Hopefully the code reviews that Mozilla is putting in place will help - 
at least for the FF Add-ons.

As an old school Linux guy, I really like when I get signed packages 
with hashes of the downloads.  nmap has been doing that for years and I 
wish more people would follow that lead.

My 2 cents.

--
-- Matt Tesauro
OWASP Board Member
OWASP Live CD Project Lead
http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project
http://AppSecLive.org - Community and Download site

On 7/17/10 3:45 AM, dinis cruz wrote:
> Matt, how do you know that the ones that are on the LiveCD or
> recomended on the OWASP website don't have similar backdoors?
>
> Dinis Cruz
>
> On 16 Jul 2010, at 21:04, Matt Tesauro<matt.tesauro at owasp.org>  wrote:
>
>> Its never been on the Live CD.
>>
>> The ones on the Live CD are listed here:
>> http://mtesauro.com/livecd/index.php?title=Firefox_Add-ons_included
>>
>> HTH
>>
>> --
>> -- Matt Tesauro
>> OWASP Board Member
>> OWASP Live CD Project Lead
>> http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project
>> http://AppSecLive.org - Community and Download site
>>
>> On 7/16/10 11:18 AM, Eoin wrote:
>>> Hi,
>>> Is this on the live cd? If so which version?
>>>





More information about the Owasp-board mailing list