Mozilla in Asia

Robert Vamosi of CNet interviews Window Snyder, Mozilla’s chief security something-or-other, on security metrics at Mozilla and how we are trying to better understand security in an open-source project platform: At Mozilla, blowing the lid off security practices.

Window Snyder, Mozilla’s chief security something-or-other (her official title), wants to bring open source practices to the security community.

“At a lot of companies,” she told me recently, “there’s fear around security: you don’t want to talk about what you’re doing around security because one might deem it not enough–or might want to criticize it.” She said most companies have a lot of reasons to keep what you’re doing in security quite, but not Mozilla. “We benefit from being open; it’s the model for us and it’s been successful for us.”

I hadn’t seen this on Planet yet so wanted to make sure folks saw this article.

Although not directly relevant to Mozilla, this recent Technical Report: Studying Malicious Websites and the Underground Economy on the Chinese Web on security in the Chinese Internet looks very interesting.  Amazing to see that gaming fuels the underground economy and that many of the transactions are done via Baidu and Taobao (which would be Google and eBay in the US.)

Ryan Naraine from ZDNet breaks out some of the key findings:

• “The market price of a Trojan is between tens to thousands Renminbi (RMB), and a package of 0-day powerful Trojan generator and evasion service can be up to several ten thousands RMB. 10 RMB is as of November 2007 equivalent to $1.34 US dollar.”

• “The administrators of certain personal websites attract visitors with the help of free goodies, e.g., free movies, music, software, or tools. These websites often betray their visitors: they sell the traffic (i.e., website visits) of their websites to Envelopes Stealers (people that buy traffic and malware) by hosting the Web-based Trojans. This means that innocent websites visitors are redirected via these malicious websites to other sites that then attack the victims. If the attack is successful, a piece of malware is installed on the victim’s machine.” The going rate: 40 to 60 RMB per 10,000 IP visits.

• Gamers are the linchpin of China’s underground economy. These folks are the victims of virtual asset theft–powers in games and virtual money. Without their demand, hackers wouldn’t have much to sell.

• Bulletin boards are the communications tool of choice. Specifically, Baidu’s bulletin board is popular with hackers. “One of the most prominent places for such markets within China is the Baidu Post Bar, the largest bulletin board community in China but with weak administration. Advertisements can be commonly found on several pertinent post bars at the site post.baidu.com. This system has a keyword-based structure, and there are no other entries to the post bar: if you do not know the keyword to search for, you will not find any malicious entries. The actors within the black market have their own, unique jargon, and thus it is hard for an outsider to find any information about this threat. The actual trading of virtual assets happens on public market places like Taobao. These very common online business platforms within the WWW are used by the cyber criminals to advertise and sell their goods. After a trade was successful and a Player has bought a virtual good, the money is sent commonly via Alipay.”

Technical Report: Studying Malicious Websites and the Underground Economy on the Chinese Web