1. 3

    Maybe someone at Twitter saw the similar GitHub issues a few days ago and thought to audit their logs?

    1. 4

      My guess is that both Twitter and GitHub saw the GDPR deadline looming and decided to audit their estates.

    1. 9

      If you don’t mind the tinfoil, this could well be a shakedown test to see how Russia might deal with partitioning of the network in a time of relative peace, before being surprised during some other time.

      Then again, that’s the sort of idle speculation I’d give back in my HN days.

      1. 3

        Maybe not the intention, but I can’t imagine the data point would go unnoticed.

        1. 3

          According to the time line, it may seem related to telegram.

          Here’s my tinfoil take :)

          Russia banned the telegram app at the beginning of the month[1]. They basically blacklisted their domains.

          Telegram started to use the google app engine as a domain front [2].

          I guess Russia is trying to prevent domain fronting for future ban cases. I guess it is easier for them to send a takedown notice to a Russian cloud provider than sending that to a American one.

          [1]: https://www.nytimes.com/2018/04/13/world/europe/russia-telegram-encryption.html

          [2]: https://en.wikipedia.org/wiki/Domain_fronting

          1. 2

            Probably not the intention, because running the blocklist updates in that mode means that an external party can easily force a block of something critical inside Russia at the moment than neither the blocklist operators not ISPs have spare capacity to react sanely. People who are qualified to understand your point also know that Roskomnadzor is not qualified to prevent the risk I describe.

            But some note-taking about unexpected dependency chains will be done anyway.

            1. 1

              If you were to pile some more tinfoil on, what else might we expect to see from Russian authorities?

            1. 2

              I believe this is a link with technical details of the attack: http://seclists.org/oss-sec/2016/q4/760

              1. 4

                “state-sponsored actor”. Let the attribution dice roll!

                1. 4

                  don’t people attribute hacks to ‘state-sponsored actors’ only because it makes them look less bad than if they were hacked by ‘some 17 yo kids in their parents’ garage'?

                  1. 1

                    I guess a 17 yo kid who attended public school is technically state-sponsored.

                  2. 1

                    Maybe it was the US state?

                    1. 1

                      Interesting accusation, particularly after all the goings on with Yahoo Mail at the time of the Democratic National Convention.

                    1. 3

                      Does anybody else have no idea what RAP and ROP are?

                      1. 8

                        If you want to build a program at run-time, you can find the addresses of blocks of code that do what you want, but are followed by a ret. These addresses are called gadgets. You can then execute your program by pushing these gadgets onto the stack in the order you want them to execute, and then returning with the ret instruction. This is called ROP: return-oriented programming.

                        RAP is “return-address protection”, and it’s a device where you save extra cookie someplace before calling a function, and then verifying that the cookie is in that place before returning. This allows you to detect if someone is using the end of your function as a gadget.

                        1. 2

                          Is there an equivalent for J(ump)OP? Will we just see many ROP-using exploits switch to JOP or is there a practical reason that it’s unlikely to be the next iteration in the cat-and-mouse game?

                          1. 1

                            I was curious about this too and found this paper: https://cseweb.ucsd.edu/~hovav/dist/noret.pdf.

                        2. 3

                          This paper is one of the best ones I’ve read on it. It also wins points for a fantastic title:

                          https://cseweb.ucsd.edu/~hovav/dist/geometry.pdf

                          1. 1

                            It’s the predominant technique to achieve remote code execution in systems with ~“data execution prevention” or “write or execute” memory protections, which prevent exploits from executing malicious code directly.

                          1. 15

                            I’m appalled at FTA since some industries rely on it for “secure” transfer.

                            Also it’s only mentioned in the timeline but the tester got $10,000 for their report. Nice!!

                            1. 17

                              Probably saving FB millions.

                              1. 1

                                Probably not, methinks. I am fairly convinced by the argument that these bugs are not worth as much as people seem to think they are.

                                1. 6

                                  While I’m sure this has been debated enough and I don’t have nearly enough data to decide if the vulnerability is worth $10,000 or not but I think it’s important not to compare the value of a vulnerability on an open market to the value of the vulnerability to Facebook itself.

                                  The right attack on Facebook may not provide much financial gain to the attacker but would cost Facebook plenty in terms of credibility and customer trust.

                                  1. 3

                                    This argument unfortunately comes pretty close to extortion. It sure would be a shame for me to throw this rock through your window. How much would you like to buy my rock for? Nobody else will offer me anything at all, but I think you’re just the buyer I’m looking for.

                                    1. 1

                                      I don’t think so either. Facebook is widely hated, but that doesn’t mean it’s not widely used. They can afford a lot of hatred because they are so big.

                              1. 1

                                Its always great to see how multiple low theat vulnerabilities can be combined together to create one with a much higher threat!

                                1. 4

                                  This could easily be retitled as “Yet Another Reminder on How Not to Host Your Web Site.”

                                  1. 1

                                    I haven’t decided yet if all these write ups I’ve seen lately are a good or depressing thing.

                                    It may be good because it’s giving obvious security mishaps visibility to the uneducated or it may be depressing because we keep seeing the articles about the same problems over and over (i.e. is anyone actually learning?).

                                  1. 3

                                    While I am happy that there is such functionality in the Linux kernel, this feels like a slightly over-engineered and complex solution to the problem of restricting access to certain system calls.

                                    1. 3

                                      I agree – seccomp really seems to suffer from second system effect. I think the biggest problem is that it makes the logical next step in sandboxing system calls unnecessarily hard. I glossed over it in the article, but inspecting any non-integer system call arguments requires a supervising process to inspect the sandboxed process with ptrace.

                                    1. 2

                                      Id love to see a similar online course teaching the fundementals through exercises.

                                      1. 1

                                        I actually found the theoretical and practical explanation of using ROP (Return Oriented Programming) pretty good!

                                        1. 4

                                          While you shouldnt expose your .git folder to the world, its probably also good practice not to put credentials into your source control.

                                          1. 4

                                            More details about the exploit at: http://blog.trendmicro.com/trendlabs-security-intelligence/a-look-at-the-open-type-font-manager-vulnerability-from-the-hacking-team-leak/.

                                            Clearly there is a bug in the code, but more importantly why is a font driver running in kernel mode? Would running the code in user space not reduce the effectiveness of the bug?

                                            1. 5

                                              History: Windows NT 3.51 had the Win32 stuff, as the primary subsystem be run in CSRSS, and Windows was good and like a microkernel. Enter Windows NT 4.0. The Win32 stuff is moved into a kernel driver called win32k.sys, to improve speed. (Printing was moved into the kernel as well.)

                                              To improve reliability and security, since Vista is undoing a lot of this. (Example: When GPU drivers crash, they can gracefully restart.)

                                              Note I am not a Dave Cutler or Mark Russinovich, and as such, my knowledge of NT’s guts may be a bit off.

                                            1. 6

                                              I think the reality is somewhere in the middle of the two extemes.

                                              While it is quick and easy to ‘pick-up’ a new language it takes much more time and effort to become experienced and really productive with it.

                                              With an existing codebase and a big enough team you can get experienced much quicker.

                                              1. 5

                                                I quite like the closing sentence: “The network is not a security boundary anymore.”

                                                1. 1

                                                  It is also recommended against using auto incrementing ids on S3 (and I think DynamoDB) to best distribute load across partitions. In this case UUIDs aren’t necessary: you can simply reverse the order of the digits in the auto incrementing id.

                                                  Additionally, I’ve always felt uncomfortable with treating UUIDs as unique because the chance of a collision is so small. Surely if you want something to be unique (as in the case of a primary key in the database) you’d have to deal with collision resolution in the code, no matter how small? I wouldn’t feel conformable with the code otherwise :(

                                                    1. 6

                                                      By that same measure you shouldn’t trust cryptography.

                                                      UUIDs also have non-random variants, though. They just require coordination as you scale.

                                                      1. 4

                                                        Good point!

                                                        After posting I gave it lots more thought (and ready the wiki link above) and am actually warming up to the idea of UUIDs. Even if a collision does occur, if it’s set as the primary key on your database, the error handling is probably there already.

                                                        1. 2

                                                          Yeah - I’ve used UUIDs as primary keys, actually, in Postgres. I’m definitely guilty of being a programmer rather than a DBA (… is there a word for “non-DBA programmer”? Surely, DBA is programming), and if I’d had the advice that they work badly with GIN and GIST indices, I’d have avoided them. I’m sure the docs said it somewhere…

                                                          But they worked decently well. At that company’s scale, there was no performance issue. It was probably less than 1M rows in the largest table, for what that’s worth.

                                                      2. 6

                                                        Additionally, I’ve always felt uncomfortable with treating UUIDs as unique because the chance of a collision is so small. Surely if you want something to be unique (as in the case of a primary key in the database) you’d have to deal with collision resolution in the code, no matter how small?

                                                        Not to dog-pile, but another point to consider: the filesystem that stores your database is likely using UUIDs internally to represent chunks/extents.

                                                        You’re fine.

                                                      1. 42

                                                        Excuse the strong language, but I can’t stand snobbish, deceitful drivel like this. The article attempts to make the explicit point that programming is not a craft (because, apparently, the author thinks they have a monopoly on what it means for something to be a craft). But its subtext is far more sinister: it not-so-subtly weds the idea of craftsmanship to negative qualities like “big ego”:

                                                        So here’s my concern with the idea of Software Craftsmanship. It’s at risk of letting programmers’ egos run riot. And when that happens… well, the last time they went really nuts we got Web Services, before that J2EE. They convinced the British government that they wanted an uber-database to store Everything Ever About Everyone. You see where I’m going?

                                                        Um. What?

                                                        Blatantly irrelevant analogies:

                                                        Non-programmers don’t care about the aesthetics of software in the same way non-plumbers don’t care about the aesthetics of plumbing – they just want their information in the right place or their hot water to work. (Although it’s fair to say they appreciate decent boiler controls.)

                                                        Programming isn’t plumbing and plumbing isn’t programming. What one does has no bearing on the other.

                                                        Well it seems to me the most succesful programmers I’ve encountered don’t craft software

                                                        Which is clearly supposed to read as, “Successful programmers don’t craft software.” I’m not putting words in the author’s mouth. The entire point of the article is to seemingly generalize their own opinions to programming as a whole.

                                                        More deceit:

                                                        Do I need to demonstrate any kind of skill? No. Any specific credentials? No. Any kind of experience working in the field? Nope (and as the Pragmatic Programmers are happy to remind you, ten years experience is very different from one year repeated ten times). In fact, all I have to do to associate myself with Software Craftsmanship movement is to fill in my name on the website. Woohoo!

                                                        As if acknowledging craftsmanship necessarily implies throwing out every other indicator. Really? The subtext with this nonsense is that people that see programming as a craft will produce lower quality code. The author even bemoans the loss of good programmers to the craft:

                                                        Software practitioners – especially, ironically, the good ones – often lose sight of this. They fall in love with the software itself and start thinking of themselves as craftsmen of software.

                                                        Unbelievably, despite the fact that programming isn’t a “proper” profession (the author’s words), the author has still somehow managed to identify good programmers from bad programmers. I know I’ve certainly never needed to see someone else’s certificate, nor have I ever needed the approval of some “Software Craftsmanship Council” to tell if a programmer was a real craftsmen or not.

                                                        I’ll never forget my programming languages course. On the first day, the professor went around the room and asked us to name some properties of programs. You had the usual suspects: “correct,” “fast”, “functional”, “object oriented”, “size” and so on. I was the only one who said “beauty.”

                                                        Donald Knuth has my back:

                                                        We have seen that computer programming is an art, because it applies accumulated knowledge to the world, because it requires skill and ingenuity, and especially because it produces objects of beauty. A programmer who subconsciously views himself as an artist will enjoy what he does and will do it better. Therefore we can be glad that people who lecture at computer conferences speak of the state of the Art.

                                                        You can try to impose as many pre-conceived judgments on me as you want (“losing sight of the utility of software” or my giant “ego”), but I’m never going to stop seeing programming as a craft. I always have and I always will.

                                                        1. 7

                                                          Fantastic quote by Donald Knuth!

                                                          A programmer who subconsciously views himself as an artist will enjoy what he does and will do it better.

                                                          To me, this is the biggest thing that separates a software engineering from many other engineering professions.

                                                          1. 3
                                                          2. 5

                                                            Thanks for this. The article bothered me, but I didn’t feel able to explain why. As a “hook”, the author refers repeatedly to a disconnect between engineers and users, and, actually, that’s true - there are several such disconnects and they deserve individual attention. I suspect most readers will agree with that part. You correctly point out that the real thesis here doesn’t follow from it, and I agree with all your points.

                                                            I guess I’d not go so far as to call this “deceit”; I believe the author is sincere. Most people who have conflated different things like this are unaware they’ve done so. I’ll give you “snobbish” though. :)

                                                            You have me very curious - how did the professor and other students respond to “beauty”?

                                                            1. 4

                                                              As a “hook”, the author refers repeatedly to a disconnect between engineers and users, and, actually, that’s true - there are several such disconnects and they deserve individual attention. I suspect most readers will agree with that part.

                                                              Definitely agreed.

                                                              I guess I’d not go so far as to call this “deceit”; I believe the author is sincere. Most people who have conflated different things like this are unaware they’ve done so.

                                                              Also agreed. I could have been more charitable. Just got a bit riled up!

                                                              You have me very curious - how did the professor and other students respond to “beauty”?

                                                              My professor paused and smiled, then moved on to the next student. It was one of those “first day of classes, let’s get the juices flowing” kind of thing. But that moment has stuck with me.

                                                              We actually became very good friends. I went on to TA that course a couple times, and it is one of the most enriching experiences I’ve ever had!

                                                              1. 1

                                                                Neat. :)

                                                            2. 2

                                                              Well,

                                                              I like the idea of programming as craft but I liked that the article raised a number of issues involved with the craft conception - despite the unfortunate “slick consultant” tone.

                                                              The challenge is to engage in software craftsmanship in a fashion that makes a customer care about that craftsmanship.

                                                              The example of the plumber seems good. The average person understands that not everyone who can stop a leak does so with equal skill. The immateriality of software makes that understanding harder. How can it be communicated to people effectively?

                                                              1. 2

                                                                Programming isn’t plumbing and plumbing isn’t programming. What one does has no bearing on the other.

                                                                While you’re right, I think his analogy here is apt, but it also misses the point. A good plumber would see a bad plumber’s jumble of pipes and think “That’s a fucking mess”, just like good/bad programmers do with code. And why do we think it’s a mess? The reason a jumble of pipes or a pile of spaghetti code is scary is because we’ve been trained to recognize these patterns and associate them with a broken plumbing system or broken software.

                                                                There’s a reason why highly skilled programmers think simple, elegant code is something to work towards, and that reason is because more often than not, it works.

                                                                Either way, I absolutely agree with you. And this article has some serious gaping holes.

                                                                1. 1

                                                                  Totally fair point! Agreed. :-)

                                                              1. 4

                                                                C++ isn’t ‘back’ because it didn’t go anywhere. It has it’s use cases, as does Python, Java, Ruby, Node.js, Go, etc.

                                                                The right tool for the right job.

                                                                1. 8

                                                                  It definitely didn’t go anywhere, but I think C++11/14/17 helped revitalize it, as much as I hate to say it I think Microsoft is also helping by making/keeping it a first class citizen in their new APIs. Being able to mix C++ with Objective C is quite well done on Mac and iOS. It would have been nice if Android had used 100% C++ instead of Java, although that is my number 2 language. I’d like to see C++ become the university compsi lingua franca again, maybe C++11/14/17 will help that.

                                                                  1. 2

                                                                    True, both. It had never gone, but its like it had let himself go a little. It seems both the language and the environment are keeping up with the times.

                                                                  2. 3

                                                                    Pretty damn good use cases though:

                                                                    http://www.lextrait.com/vincent/implementations.html [→ from the book]

                                                                  1. 1

                                                                    I wish it supported markdown…

                                                                    1. 1

                                                                      Atom has an awesome markdown preview package that makes it great for note taking IMO.

                                                                      1. 1

                                                                        Check out Mou! Been using it for a few months to take notes for technical classes and even for writing papers!

                                                                        http://25.io/mou/

                                                                        1. 1

                                                                          Watch out for markdown :) Awesome idea, I’ll implement it soon!

                                                                        1. 5

                                                                          I wonder why they don’t store the entities in an hashmap with the entity ID as the key. Then each object can look up a referenced entity quickly, and will also know it if the object has been deleted and removed from the hashmap.

                                                                          1. 2

                                                                            I was wondering a similar thing since this is how I have actually done it on games I’ve worked on.

                                                                            I have an automatically incrementing id to give to new entities and used this as a key in a hash table and remove themselves when dead. Other entities only store entity ids and detect when those entities die when the lookup from the hash table fails.

                                                                            Maybe Doom/Quake/etc didn’t chose such a solution for performance reasons on older PCs?