about ten days at black hat

I’ll write more about this later, but since people are starting to pick this up, I want to get this out quickly.

When I wrote “ten fucking days” on a card for Robert (rsnake), I was intending to express my confidence in our ability to turn around a fix quickly if we needed to, by giving him a sort of “admit one” ticket for a disclosure that he thought needed an especially fast response due to extreme risk or some such. That was a bit overzealous, in the cold light of hindsight, but at no point did I intend to indicate that Mozilla policy was a ten-day turn around on all disclosed vulnerabilities. People are reading the conversation and Robert’s post that way, but that’s not our situation, and it certainly wasn’t my intent to give that impression.

I apologize, and hope that nobody will think less of Mozilla because of my error. We don’t issue challenges, and nobody here thinks that security response is a game. This was a personal bargain and overwrought showmanship from a late-night Black Hat party that has now taken on a life of its own, and I hope the fracas about my overzealous comments to Robert don’t overshadow the great work that people on the Mozilla project do to keep our users secure.

[Update: Window has posted on this topic as well, over at the Mozilla security blog.]

vegas, baby

Back at the Boston DevDay in March, Window asked me if I’d be interested in speaking with her at Black Hat. Just as I would if Tony Hawk asked if I’d like to hit the half-pipe with him, I agreed enthusiastically, and the fruit of that agreement — and Window’s patience as co-speaker and designated grown-up — will be available this Thursday, when we present Building and Breaking the Browser at this year’s Black Hat Briefings in Las Vegas. Window will be talking about how process, product design and tools all help us build a more secure product, and how those techniques and strategies can help others make their own software more secure. Jesse will, I believe, be demonstrating one of his killer tools. I’ll be wondering why I stayed at our most chill party until the early morning when I knew I had to be on stage at 10AM, and trying to not make it totally obvious that I’m the dumbest guy in the room.