1. 2

    Seems to fly in the face of the reproducible builds movement :) One could compile it for a reproducible build, ensure happiness and then recompile with this for security I guess.

    1. 1

      It was actually one of my counterpoints to reproducible builds. Reproducible builds in deployment = reproducible attacks. The diversity approach makes systems as different as possible to counter attacks. In the big picture, the attacks reproducible builds address are rare whereas the attacks diversifying compiles address are really common. Better to optimize for common case. So, diversified builds are better for security than reproducible builds in common case.

      So, I pushed the approach recommended by Paul Karger who invented the attack Thompson wrote about later. The early pioneers said we needed (at a minimum) secure SCM, a secure distribution method, safe languages to reduce accidental vulnerabilities, verified toolchains for compiles, and customers build locally from source. Customers should also be able to re-run any analyses, tests, and so on. This was standard practice for systems certified to high-assurance security (Orange Book B3/A1 classes). We have even better tools now for doing those exact things commercially, FOSS, formally-verified, informal-but-lean, and so on. So, we can use what works with reproducible builds still an option esp for debugging.

      1. 8

        With load-time randomization you can both have and eat that reproducible-build cake.

        1. 1

          cool idea, Thanks for posting!

          1. 1

            That’s news to me. Thanks for the tip!

          2. 1

            It was actually one of my counterpoints to reproducible builds.

            Running a build for each deployment is extremely impractical. Also, when binaries are generated and signed centrally you have guarantees that the same binary is being tested by many organization. Finally, different binaries will behave slightly differently, leading to more difficult debugging.

            Hence the efforts on randomizing locations at load time.

            1. 0

              The existing software that people are buying and using sometimes has long slowdowns on installs, setup, load, and/or update. Building the Pascal-based GEMSOS from source would’ve taken a few seconds on todays hardware. I think that’s pretty practical compared to the above. It’s the slow, overly-complicated toolchains that make things like Gentoo impractical. Better ones could increase number of projects that can build from source.

              Of course, it was just an option: they can have binaries if they want them. The SCM and transport security protect them if developer’s are non-malicious. The rest of the certification requirements attempted to address sloppy and malicous developers. Most things were covered. Load-time randomization can be another option.

          3. 1

            It looks like the builds are seeded, so it may be possible to reconstruct a pristine image given the seed.

          1. 4

            You can make person to person electronic transfers in the US, they just aren’t free or easy. I made monthly wire transfers for 3 years to pay rent. The transfers were person to person and cleared same day or next day, just like the author had in Australia. In the US though my credit union charged a $15 fee and required me to call them and then verify all information on a call back to me.

            Real banks can do domestic wires all electronically but typically have higher fees. Banks can and do compete on the fees [1], but its just not something most US consumers care about.

            There is no incentive for US banks to make person to person transfers either free or easy. The banks are responsible for costs of fraud, which would be massive at the rollout of free and instant person to person payments, but would gain no new revenue.

            Eventually regulation will force their hand, but until then we’ll be taking pictures of checks.

            1. 3

              It is amazing that despite having sandboxing technology built into Windows, and used to sandbox renderers in Edge, the scanner portion of Defender was left un-sandboxed.

              1. 2

                When I used Windows, there were also many 3rd party solutions like DefenseWall, AppGuard, and Sandboxie. I think Chrome published how theirs worked, too.

              1. 4

                Am I the only one who thought this was hilarious and well planned? Looks like it worked even better than expected.

                The fake outrage has bought Burger King and the Whopper more media exposure than they could have paid for.

                1. 3

                  Whether it was successful time will tell. Personally this caused irreversible brand damage both to BK and Google in my eyes.

                1. 28

                  The startup programming environment represents the victory of showhorses over workhorses. It’s more important that these companies manage up into investors and look busy than it is for them to get any actual work done. In other words, startup programmers are more valuable as office furniture (see: $1-5M/head acqui-hires) than for what they actually do. Open-plan offices are terrible for productivity but they look busy. For this reason, I don’t see them going away any time soon.

                  Also, open-plan offices are probably better than cubicles, which still have the noise and line-of-sight issues. If you’re in a typical cube and still visible from behind, then you get claustrophobia (brick wall in front of you) and agoraphobia (seen from behind, surveillance-state anxiety) at the same time. What we really want are private or pair offices… or just the ability to break away and code for a few hours. Cubicles would be a step in the wrong direction.

                  The ideal office would have open spaces and private offices, so people can meet in the commons, break away, or have individual coding time. It’s amazing to me that this is judged to be “too expensive”, because a better office pays off multiply in productivity. I think that one of the problems is that office culture is in a deep state of denial. The fiction is that everyone’s working as hard as they can, at 100% productivity at all times, and that office accommodations are a nice-to-have rather than a critical factor in the quality of work. In other words, the stingy people who are constantly looking for ways to cut (and by “cut” I mean “externalize”) costs on office space see it as a nice-to-have and a morale issue rather than a raw productivity issue. You can’t raise the issue around open-plan offices without admitting that the corporate fiction (that people are already working at 100% efficiency) is false.

                  Open-plan offices also have a problem with adverse selection. The really good individual contributors, as soon as they have leverage or clout, start working from home: first a day a week, then 3 days per week, and then consistently. The managers and wannabe managers show up every day, and so do the juniors who aren’t in a position to work from home, but the senior individual contributors usually get out of that environment. So this supposedly “collaborative” environment ends up losing the people who might actually be able to make others more productive, and gets stuck with the ones who make people less productive.

                  1. 5

                    Also, open-plan offices are probably better than cubicles, which still have the noise and line-of-sight issues.

                    For what it’s worth, in my experience, the office with cubicles has been much better than the open-plan office (low-wall partial cubes rather than “bunch-of-folks-at-a-table”). It’s quieter and more private, and I can set myself up so the angles of approach are more constrained. There are definitely overarching differences in office environment, too—my current cubicled office is quieter overall and I’m not along the hot path the salespeople all take—but I think at least some of that is due to the fact that the space is partitioned rather than open.

                    1. 2

                      Office preference depends on personality. I have a suspicion that it has something to do with what one assumes is a universal human experience, but isn’t [1,2].

                      Just because someone is a really good individual contributor has no bearing on whether they’ll like working from home. For instance, I worked form home for 2 years before I switched jobs so I could work in a co-working space (among other reasons). I know of another (very good) developer who is wants to leave their current employer because they want to work in an office.

                      1. http://digest.bps.org.uk/2016/02/you-hear-voice-in-your-head-when-youre.html
                      2. http://lesswrong.com/lw/dr/generalizing_from_one_example/
                    1. 12

                      Apple’s decision not to allow arbitrary parts to talk to their security enclave is a good security decision. However, Apple had handled this very poorly, by bricking the phone.

                      My guess is that Apple employees only live in areas with authorized Apple stores, and can’t possibly imagine a legitimate reason for unauthorized repairs.

                      1. 3

                        I heard that touchid is simply disabled if it isn’t validated. The problem appears to be that when the user then later updates, some part of the update fails because it expects the touchid to be working, but it is instead disabled. My guess is a nasty bug as part of the install/upgrade process. I read somewhere on the hackernews thread about this that for some users a restore of a backup of an older got their phones usable again (with touchid still disabled).

                        Does installing rando third-party aftermarket parts void the warranty?

                        : Info is a bit vague and reactionary on this topic, so I am not sure if this is true or not.

                      1. 1

                        Doesn’t New York have about the same climate and the tall buildings that Chicago has? Why doesn’t New York have as many revolving doors?

                        1. 3

                          As someone who lives in Chicago and visits NYC for work, the average difference may not seem like much (Chicago has an average January low of 18F and NYC has an average January low of 26F), but it certainly feels much different.

                          Maybe humans just perceive those lower lows more strongly? From my experience, the change from 0F to 15F feels like a lot more noticeable than a change from 30F to 45F.

                          1. 2

                            Interesting, to me, the change from 0F to 15F is almost nothing, but the change between 30F and 45F feels much different, because the air feels different above freezing as opposed to below. This could just be me though.

                            1. 2

                              I’ve got the same thing although in the Netherlands. I prefer it to be either above 10C or below 0C than in between. Maybe because there’s more water in the air while also being cold between 0C and 10C?

                            2. 2

                              I moved from Boston (very similar climate to New York) to Chicago for university, and was shocked by how much colder it was. Of course, them I moved to Minneapolis, and learned what real cold feels like. Ye cats.

                              1. 2

                                Eh you get used to it, we’ve got nothing compared to places like anchorage. The wind is what makes cold cold. -20 with no wind? No problem. 10mph wind? Ok now you got my attention.

                            3. 2

                              When I first moved to NYC I was struck by the prevalence of revolving doors. I figured the reason was just that with so many people coming in and out it was more efficient in terms of the HVAC bill and I never thought of the pressure effect. I don’t know how it compares to Chicago, but I can tell you that NYC definitely has a lot of revolving doors compared to anywhere else I have lived.

                              1. 1

                                Ah, ok. The article seemed to be saying that NYC had hardly any rotating doors:

                                Minneapolis might be colder and New York may have tall buildings, but Chicago uniquely combines all the important factors.

                                1. 1

                                  As someone that lives in the twin cities, there really aren’t that many revolving doors even in the tall buildings. And yes we’re colder than Chicago most of the time. I’m actually hard pressed to come up with a skyscraper in Minneapolis or st paul with revolving doors for the entrance. None jump out at me but I’ll be honest I haven’t paid much attention.

                                  Generally though we tend to have 2 sets of doors on buildings, so that might mitigate the pressure situation somewhat. I’ll have to ask my architect drinking buddy what the deal is. I always heard they reduced the cooling/heating bill more than the pressure situation.

                                  1. 1

                                    I think you missed a sentence. “Chicago and New York are the biggest markets for revolving doors.”

                                    Though quite a few places in New York don’t have space for revolving doors. They don’t have space for double doors, either. They just hang a curtain inside the door, which is pretty useless.

                              1. 7

                                Why would Chrysler think its a good idea to connect your car to the Internet?

                                1. 7

                                  Finding out where the car was parked/stolen
                                  Performance data, lap times Navigation Traffic data
                                  Weather
                                  News
                                  Skype/viber/voip/facebook
                                  Friends locations, “Hey, Jeff is at that petrol station!” (Might actually be cool, but prone to abuse/creepiness)

                                  I’m not saying they’re good reasons, just some things customers might want :)
                                  I guess anything you would use your phone/devices for + car spin offs of those things.

                                  I think a better question is, “Why would any car company think it is a good idea to directly connect the vehicle control network to the entertainment system?”. As with the previous Toyota and BMW issues, air gap, people!

                                  1. 5

                                    “I lost my keys. Can you let me in?”

                                    “Someone stole my car. Can you turn it off?”

                                  1. 10

                                    Author here, will gladly answer any questions people may have.

                                    1. 2

                                      Have you ever played in the lottery (or played more) since you’ve had so much access with bitsquatting?

                                      1. 1

                                        Nope, but someone wins every time.

                                      2. 1

                                        Did you find any pattern in which particular bit in an octet was likely to become corrupt?

                                        1. 3

                                          I didn’t register enough different variations to answer that with confidence. It would be a good experiment though!

                                      1. 4

                                        This has incredible implications. Looks like only 30 registrations (so, not looking for just any bit flip, but 30 specific bit flips) led to wild success here. It wouldn’t be terribly hard to exploit this more determinedly for other high value sites.

                                        1. 2

                                          It might also not be too hard to try and discover if anyone else is already trying.

                                          1. 2

                                            Since my original talks at Blackhat/DEFCON 2011 several people have followed up with their own bitsquatting research (see: http://blog.dinaburg.org/2013/09/bitsquatting-at-defcon21-and-more.html). During my q & a at DEFCON at least one group of people wanted to use bitsquatting to serve up ads.

                                          2. 0

                                            Yet another reason for HSTS I guess

                                            1. 4

                                              As other people pointed out, HSTS wouldn’t really help for most cases, and neither would DNSSEC. Most of the errors are already in the HTML thats served to the browser, probably corrupted somewhere on the server.

                                              A lot of people found this hard to believe since it required some kind of wide-spread bug that caused bit flips in memory, but now we found one: https://en.wikipedia.org/wiki/Row_hammer, although I have no evidence the two are related.

                                              1. 3

                                                Not sure I follow - if the issue is that corruption occurs in memory, the request for micro3oft.com instead of microsoft.com is completely legitimate from the perspective of the requesting system; it never requested microsoft.com and got a different site, it always was asking for micro3oft.com.

                                                HSTS wouldn’t address this in any meaningful way, would it?

                                                1. 4

                                                  Whoops, you’re right, if the bit flip happens before cert validation then sure, it could be a valid HSTS request to a site with a valid cert for micro3oft.com. I guess I was thinking about name resolution bit flips only.

                                                  Dang, this is pernicious.

                                            1. 6

                                              Wanted to say that I would have never joined had it not been for the open invitation system. I don’t really use social media, and none of my work colleagues were on lobsters.

                                              1. 3

                                                To counter most of the commenters here, I find that open offices are fantastic for communication and whole team productivity.

                                                Having worked in cubes, offices, open floor plan, and now remotely, open floor was by far the best experience.

                                                I want to elaborate more, but its difficult to type out a long explanation on a phone.

                                                1. 2

                                                  I’ve had open plan offices in all four jobs. Two of them were small companies where each team had a room each, while two had massive open plan offices with hundreds of people in them. I found the team offices to work quite well, but multi-team open plan offices not so well. Visitors are impressed by our cavernous office with its chandeliers but IMO it can be very frustrating with lots of interruptions. Especially with floors that bounce when people walk by. (Which they inevitably do because there’s toilets & tea-/coffe points only at each end.)

                                                  1. 1

                                                    Two of them were small companies where each team had a room each

                                                    What did the team sizes look like? Small team offices can be manageable if the team dynamics are right, but I still prefer the approach of giving each developer their own office and having enough larger rooms that teams can grab them on an ad-hoc basis. If you’ve got enough space that you don’t need to strictly schedule rooms, that’s perfect; if not, as long as a team can get a room with little friction that seems to be perfect.

                                                    This is why I like developing software inland - real estate is really cheap here so it’s very easy to provision like this.

                                                    while two had massive open plan offices with hundreds of people in them.

                                                    Holy moly. I bet the noise pollution was overwhelming.

                                                    1. 3

                                                      In one of the jobs my team was 6 people at its peak. I found a picture of my team area here: http://www.andarchitects.co.uk/content/commercial/56 - it was my favourite office so far. There were 4 desks not showing in this picture, so 10 seats in total. Another 12 on the other side of the red wall there, and kitchens & more desks downstairs.

                                                      Latest job… well, noise pollution certainly is a problem. (It’s even busier now, as they’ve crammed more desks into the same space.)

                                                1. 10

                                                  Over time, we’d variously used PGP, Pidgin OTR, and a number of different encrypted chat services; and never been quite satisfied.

                                                  We knew there had to be a better way, that a future where everyone could have privacy was possible.

                                                  So, we created Cyph.

                                                  No discussion (or links) of which crypto protocols are used, on the front page of any “secure messaging app”, makes me very nervous.

                                                  1. 13

                                                    It’s military-grade!

                                                    1. 6

                                                      Seriously the #2 smell test for me is people talking exclusively about crypto building blocks and not discussing the overall system. I don’t care how strong your ciphers are if you’re running them in CBC mode, it doesn’t matter how many bits your hash is if your message integrity consists of SHA512(message) and that’s it.

                                                      (#1 smell test is cracking challenges as a proof of security! Let’s see if they get there…)

                                                      1. 3

                                                        s/CBC/ECB ?

                                                        1. 1

                                                          If I had a nickel for every time I typed the acronym for “the slow mode” when I really meant to type the acronym for “the scary bad mode”…

                                                          Thanks!

                                                      2. 2

                                                        Isn’t military-grade cryptography, by definition, NSA (or other country equivalent) approved and audited?

                                                        Always wondered why anyone would want to use that specific adjective to describe their secure chat program.

                                                      3. 1

                                                        Right now, the “Military-grade encryption” text on their website is a link to Wikipedia’s page on Off-the-Record Messaging.

                                                      1. 7

                                                        Whats the upside of accessing lobsters via a tor hidden service versus accessing lobster.rs over tor?

                                                        1. 7

                                                          I won’t be able to see your IP address.

                                                          1. 2

                                                            Is it possible for onion sites to support SSL (I suppose a CA will sign anything if you pay?)? Currently it seems like using Tor to access https://lobste.rs/ would be a better choice.

                                                            1. 4

                                                              Facebook got one but they are special. No widely-accepted CAs have open registration for .onion addresses, AFAIK.

                                                              Using Tor to reach lobste.rs requires an exit node in the middle to pass traffic between it and this server, so having a hidden service directly in the network just eliminates a source of contention. Despite not having an https scheme, the .onion URL is still completely encrypted from your browser to the lobsters server.

                                                              1. 1

                                                                I realized that after stepping away from my desk, thanks. Guess I’m used to always checking the URL bar when expecting SSL via the browser.

                                                                1. 1

                                                                  I think TorBrowser should show something different for .onion URLs. The regular globe icon instead of a padlock does seem to promote that .onion URLs are less secure than an https URL that exits out of Tor.

                                                            2. 1

                                                              Wait, are you implying that you can see the IPs of users accessing lobste.rs via Tor? I’m curious about your deanonymization techniques…(and I suspect the NSA would be too).

                                                              1. 1

                                                                No, as tedu said, I misread artem’s post. If you access lobste.rs via Tor through an exit node, I just see the exit node’s IP.

                                                            3. 4

                                                              Besides evil jcs attacks, oppressive tech news hating regimes won’t be able to block access to the site. I wish the previous statement were as absurd as it sounds.

                                                              (Actually, I think both jcs and I misread your question. Accessing the regular site over tor would work too, and also wouldn’t reveal your IP.)

                                                              1. 2

                                                                It never leaves Tor, preventing tampering from the ISP or other people

                                                              1. 1

                                                                How has posting this made the Internet safer?

                                                                I feel very sorry for anyone who hasn’t upgraded their Safari to latest, because this will certainly make its way into every web exploit kit.

                                                                1. 3

                                                                  This article didn’t really give a lot of information. I imagine they mean including security in the DevOps process?

                                                                  In that case, the best presentation I’ve seen so far is is Security Automation at Twitter: http://videos.2012.appsecusa.org/video/54250716

                                                                  1. 1

                                                                    This is an excellent presentation, thank you for sharing @artem! This particular post was a simple conversational piece. We will do weekly posts hereafter that will give technical examples on how to integrate Security into the DevOps process.

                                                                  1. 2

                                                                    I think a lot of these companies are one motivated lawyer away from writing some large settlement checks. It doesn’t sound like the people there are even aware that there are questions that are simply illegal to ask in an interview (see: http://www.mtu.edu/equity/pdfs/whatyoucanandcantasklongversion8-12-04.pdf).

                                                                    In the large corporations I previously worked in the interviewers were also required to keep a written record of why every candidate was selected or rejected. The meticulous documentation is the only effective way to ward off people who are simply after a quick buck.