Mozilla employs ex-NSA member to weaken crypto

A week ago, it was revealed that Mozilla is employing a person who worked with the NSA to sabotage cryptographic standards. Incredibly, Mozilla refused to comment on this (though you had no problem participating in an inane and irrelevant debate about gay rights). Mozilla should provide a full explanation of what occurred and audit any contributions made by Eric Rescorla (and probably fire him).

<Eric Rescorla>
Hmm.... Please describe the attack you have in mind. Note that content scripts
actually can talk to arbitrary local LAN addresses, they just can't read the
response. And WebRTC incorporates a consent check before it lets you send
application-controlled data somewhere. So, what is it specifically you think that
WebRTC lets you do?

<Xidorn Quan> No, it doesn't ask anything before it provides the IP addresses to the content script.

<Eric Rescorla> It provides the machine's local address, but not any addresses of other
machines on the LAN. Again, I'd encourage you to describe the attack you are concerned about.
Is it merely disclosure of the local IP addresses of the machine, or something
else?

As I said in comment #2, Firefox is conformant to the RTCWEB specification,
so you should raise this issue on the IETF RTCWEB mailing list:

https://www.ietf.org/mailman/listinfo/rtcweb'

I (and others) do appreciate that this has negative impacts if you are
trying to hide your IP address and if you have a proposal for how Firefox
can determine that people want that and suppress WebRTC, that's something
we could look at.

Jesup, I propose we close this with WONTFIX.

He is hiding peoples comments too

<Eric Rescorla> This comment (#65) violates Bugzilla etiquette. See:
https://bugzilla.mozilla.org/page.cgi?id=etiquette.html

I found a big bug in Mozilla. Would you please remove Eric Rescorla and other NSA-partisans from your software?

https://bugzilla.mozilla.org/show_bug.cgi?id=1001989

So fork it?

>>5
Fork my anus.

>>5
yeah that will solve the problem! gee I wonder why I didn't think of that!

That's why we need Cudder's ASM browser.
Too bad Cudder is all talk and no action.

http://www.wired.co.uk/news/archive/2014-01/15/mozilla

"Mozilla calls on users to protect Firefox from the NSA"

To ensure that no one can inject undetected surveillance code into Firefox, security researchers and organizations should:

regularly audit Mozilla source and verified builds by all effective means;
establish automated systems to verify official Mozilla builds from source; and
raise an alert if the verified bits differ from official bits.

In the best case, we will establish such a verification system at a global scale, with participants from many different geographic regions and political and strategic interests and affiliations.

Do Iceweasel mantainers audit Mozilla's code?

>>10
I doubt it.

>>1

though you had no problem participating in an inane and irrelevant debate about gay rights

[Citation Needed]

>>10
Does anyone audit Mozilla code? All you ever hear is that anyone can audit, and for some insane reason that is taken to mean someone does.

Auditing the shitpiles that browsers are is impossible, seeing how until you are done, the thing has moved twenty major releases and your version doesn't support the next fancy Revolutionary Web Technology.

>>12
It's impossible for a single person, but it looks plenty doable with a team, that's why I'm asking if a dedicated team of mantainers of a popular fork do so in the first place, or if the fork is limited to rebranding.

How about auditing the crypto bits etc. in Mozilla, too? And not just the verifiability of builds, which in itself just means that any vulnerabilities will be present consistently.