Why I Attack

With all do respect - I laugh every time a researcher thinks THEY found something... Sometimes they really do, but many times others have long before and just don't share the results...

&quot;Let&#x27;s now skip ahead a few years to the first research paper I ever worked on. With (who would later become) my PhD advisor, we found that most of the most popular Chrome extensions were vulnerable to a variety of attacks that could let us do very bad things. Over half of the extensions we studied were vulnerable to attack, impacting millions of users.&quot;<p>Lots of HN commenters are fans of popular browsers and &quot;browser extensions&quot;. Maybe they just like the ones that are not vulnerable to a variety of attacks. Yeah, right. The idea that I never see in these published papers is that (a) the software being examined should henceforth not be distributed to the public. Or even that people should stop using this software. Instead I almost always see the idea that (b) the software should be &quot;fixed&quot;.<p>The power of idea &quot;(a)&quot; is that it stops the problems for end users. It leaves nothing for &quot;attackers&quot;. Ideally it stops bad programmers from distributing software to the public for commercial purposes.<p>Whereas idea &quot;(b)&quot; generally keeps these bad programmers doing what they do: writing bad software and profiting from it. It might temporarily embarass them but they will continue to distribute their bad sofware to the public, for profit. (And creating more &quot;puzzles&quot; for people like the author of the blog post. Arguably giving these &quot;attackers&quot; an interest in seeing more bad software distributed. Keep those puzzles coming.)

Why is there no comments on this