☕️ Insufficient Coffee

Imposter Syndrome

Published 2025-12-15

Back in August 2023 I received a very odd question from a well-known journalist:

I’m reaching out because I’m investigating some research published last week on LinkedIn. I’m curious if you’d care to speak with me on background about this? https://www.linkedin.com/pulse/rogue-user-account-swapped-microsoft-consumer-keys-lee/

Someone on LinkedIn had discovered that my Phabricator account – the code review service used then for Mozilla code landing in Mercurial – was marked Disabled, while my Bugzilla account was not. Furthermore, my two accounts had different pictures.

A segment of the posting
A segment of the posting

It goes on to describe me as:

“tricking the NSS team into pushing out new versions of Microsoft’s 2017 Trusted Root Keys for ECC and RSA on June 27, 2020. NSS to 3.54 #3286 package release”.

NSS in this context does not mean National Security System, but in actually Network Security Services, the cryptography library used by Firefox, of which I was a maintainer.

The post then attempts to tie a routine root store update for Microsoft’s PKI roots (Bug 1641716) to an incident disclosed in Microsoft PKI’s WebTrust audit reports.

But the key bit of evidence cited is that my Phabricator account was disabled after I left Mozilla, while my Bugzilla account was not.

Without understanding more about how Mozilla operates, I can see that being confusing. To put it succinctly: Disabling Phabricator made it harder for me to submit new code to Firefox and associated projects, which is fine since I planned to step away from them (for a while). But my Bugzilla account, I was still using for reports related to Let’s Encrypt.

When it was brought up, I had an hour or so of panic, during which I went back to Kathleen’s change request: I reviewed its whole edit history; the confirmation by John Mason of the Microsoft PKI team of the accuracy; my patch; the patch review by both Kathleen and my peer Kevin; and the code merge by Kevin. I checked all the octal representations against the hex ones, and against the PDF files. Everything matched up fine. Nothing to worry about, the system of multiple, independent checks worked, and the WebPKI was still safe.

My reply to that journalist:

I don’t have any comments except to say that the “jcj” user referred to was my real Phabricator account, which was closed when I left Mozilla later that year. As far as I can tell I was carrying out the work described and reviewed by the Mozilla and Microsoft teams in this issue: https://bugzilla.mozilla.org/show_bug.cgi?id=1641716

On a mission to solve communications security issues for the whole Internet. That, and drink coffee.

About J.C.

Speaking Engagements

Post Topics

Related Posts

Contact J.C.

This work is licensed under a Creative Commons Attribution 4.0 International License.