Don’t Feed or Tease the Bears…

I've learned over the years to avoid bragging about how much more secure something is than something else. We used to have lots of these debates back at ISS. It was inevitable – whoever was going on about how their OS was more secure than your OS had a root exploit show up for their OS that week. We finally came to the conclusion that plugging in the network cable was the worst thing you could ever do, and anything you did before or after that didn't have much effect on the outcome…

Personally, I like the approach of a good sports coach. The interview usually goes about like this:

"Coach, what do you think about the game that your unbeaten Crushers are going to play against the 0-12 PeeWees tomorrow?"

"Well, it could be a tough game. We'll just have to play our best and see how it goes."

I was reading Robert Hensing's blog today (found here), which referred to a really fluffy interview with Window Snyder, where she took quite the opposite approach:

In setting out to elevate Firefox's basic security, Snyder is also compelling Microsoft and Apple, maker of the Safari browser, to follow her lead — or get out of the way.

Snyder's rising star is sure to ascend even more this week, with the release of Version 3.0 of Firefox on Tuesday. The release is packed with new features, most notably stiffer security, faster speed and improved ease of use.

In keeping with my observation of Murphy's law back at ISS, I wasn't exceptionally surprised to see this post by Ryan Naraine:

Code execution vulnerability found in Firefox 3.0

Just hours after the official release of the latest refresh of Mozilla's flagship browser, an unnamed researcher has sold a critical code execution vulnerability that puts millions of Firefox3.0 users at risk of PC takeover attacks.

So how do I think our next release is going to do? Well, gee, there are a lot of determined people out there who are trying to find and sell exploits. We're going to work hard, do our best, and I hope it comes out well. I also think things like NX, ASLR, following the SDL, and doing our best to use least privilege might give us a leg up, but we'll see how it goes.

Sorry not to be posting lately – been really, really busy. I promise I'll have an interesting post about it when I'm done. This is also the time of year I tend to spend with my horse in the mountains…