As some of the long-time readers here will remember, this blog hosted a number of Mozilla developer interviews "back in the day". The format was simple but fun, and I think informative.
For those of you who don't remember or weren't around back then, here's one of the interviews with Gecko hacker, Boris Zbarsky.
It's time to bring that feature back. I've got a few amazing Mozilla people lined up, starting with Jesse Ruderman, a member of Mozilla's security team and author of several amazing fuzzing tools.
Jesse's been finding and helping fix security bugs in Mozilla longer than just about anyone else and I couldn't be more pleased that he's agreed to do this interview with all of us.
So, ask away. At the end of the week, I'll gather up the best questions and deliver them to Jesse. (I may add a couple of my own, too.) Jesse will answer them and I'll post the questions and his answers soon after.
Posted by: Ephilei | May 13, 2008 7:34 PM
Questions:
"How did you get involved with Mozilla? Are you working there full time? What programming languages do you know?"
Posted by: José Jeria | May 14, 2008 8:38 AM
[a] which one do you say "helped more/have more share" in finding security bugs:
1) people/researchers
2) automatic tools
[b] any interesting story about security and automated tools?
e.g. a problem that is found both by someone and a tool at the same time, etc.
Posted by: pooya | May 14, 2008 8:48 PM
What is the hardest part about securing a software product?
Posted by: Daruku | May 16, 2008 12:47 PM
Man, how things change. I remember when these calls for questions got dozens of submissions.
I have two (3).
1/ It has become widely known now that totally secure software, like bug-free software, cannot be produced in a practical situation. But why is this so hard? A large software system has so many interlinking components that avoiding bugs in every interaction would be impossible; however when we talk about security, I would imagine that can be much narrower. Would it not be possible to have a tight, clearly defined interface or "wall," that only validated input can pass through? Is this not an achievable goal?
2/ In terms of building software, how much is security a matter of a set of best practices (e.g. validating input) versus the need to consider it at an architectural/design level?
3/ If you used a Mac, would you run anti-virus software?
Cheers guys.
Posted by: DB | May 19, 2008 8:25 PM
Have you been doing anything interesting with in-browser page modification (bookmarklets/greasemonkey) recently? Know anybody who is?
Posted by: Karl g | May 19, 2008 9:18 PM
Do you believe in the "Many Eyes" theory of security for open source, or is overstated? Are people outside the mozilla organization actively looking and helping find security vulnerabilities in the source? Could you comment on this quote below?
Here is a quote from Ben Laurie - Ben Laurie (http://safari.oreilly.com/0596008023/opensources2-CHP-4-SECT-1) if full portion of the book is shown (it appears random how much of the book they show.)
"What has happened is that advocates of open source have taken the "many eyes" argument to mean that because the source is available, many people will examine it for weaknesses. This simply isn't true: most people never look at the source at all (until it doesn't work), and even if they do, most do not have the experience to find the problems. The argument simply does not hold water, and it's time we, as a community, abandon it."
I rarely hear about people getting spyware while running Firefox, but I still hear about it with IE. If the market share of Firefox and IE where reversed and Firefox was the dominate browser, do you still believe spyware installation on/through Firefox would still be scarce? Why or why not?
Posted by: Christopher Nebergall | May 19, 2008 11:24 PM
How's the collaboration with other browser manufacturers on fuzzing (and other security related) tools going?
Posted by: Robin | May 20, 2008 1:55 AM
What sort of things are you working on these days now that most of the fuzzers you wrote have been used enough to discover most of the easy bugs to find? More fuzzers? :)
Posted by: ispiked | May 21, 2008 6:21 PM
Do you think that the Mozilla Firefox DOM makes firefox more secure than IE ?
Posted by: Anil Kumar Chilukuri | June 17, 2008 11:39 AM
Dang, even your interviews are open source.