Threads for dzwdz

    1. 2

      Wouldn’t it be possible to compress the boot partition and the rest of the image separately, and then concat them? I think gzip should handle that just fine, and, as a bonus, the /boot partition could be compressed too.

      1. 1

        Brad had just built a simple internal company directory called “who” (inspired by another Google tool)

        That sounds interesting, does anyone know anything more about it? It’s hard to search for any information about it.

        1. 3

          Isn’t filtering based on the name of the executable pretty naive? In a real setup you’d probably add a wildcard allow for stuff like Firefox, curl, etc. A malicious program could then just use them to access the network, bypassing mighty-snitch. A few years back I used to use simplewall, it had the same problem.

          If you want to filter network requests by program, then one better approach could be to only allow network access from processes launched by some magic wrapper program, which’d ask for your permission every time. For example - instead of running firefox you’d run wrapper firefox, which would ask for your permission, and then run Firefox with full network access. Similarly, if you were doing anything network-related on the terminal, you’d run wrapper sh to give yourself network access, without letting unrelated processes abuse it in the meantime.

          1. 4

            absolutely, but it’s much better than nothing. i don’t wildcard anything, though i do wildcard subdomains a lot, especially for firefox.

            full address wildcard exists because for a lot of people they might not use a snitch without it. we have to cater to convenience or or no one will use security enhancing software. they can understand the tradeoffs and improve their usage over time. or not. blocking ads and trackers is still good even for someone with very limited security needs.

            firefox doesn’t typically have a cmdline, but curl does. so a rule for curl can be specific to: curl -v google.com. wildcard address with wildcard cmdline is probably not great.

            the possible duration of a rule is 1-minute, 24-hour, and forever. more secure on the left, more convenient on the right. i’m experimenting with more liberal use of non-forever durations. permanent rules considered harmful.

            a snitch isn’t going to make you perfectly secure. who can write to the rules file? who can modify binaries specified in rules? who owns a domain you’ve whitelisted?

            a snitch should help you observe and consider unusual network activity. a snitch may help you prevent a malicious program from functioning. most programs should not be making network requests. most network requests should be to domains that make sense. most network requests should be at times that make sense. the rest get an eyebrow raise, some consideration, and a block.

            future work is securing the filesystem and using the checksum of binaries as a part of the rule. finding a way to make firefox run with a distinct cmdline per url would also be good.

            i explored including filesystem filtering in this snitch via lsm path hooks, but ended up dropping it for now. likely fuse is a better approach for this, but i’m undecided and don’t have a solution yet. i would like to know which binaries are reading my aws credentials file, and raise my eye brows accordingly.

            1. 1

              a snitch isn’t going to make you perfectly secure. who can write to the rules file? who can modify binaries specified in rules? who owns a domain you’ve whitelisted?

              I was mostly thinking about how a snitch could work in an otherwise secure system. Not that we really have any at the moment :(

              i explored including filesystem filtering in this snitch via lsm path hooks, but ended up dropping it for now.

              It would be wonderful if you eventually figured that out! Personally I think Linux is just too lax about security for something like that to be viable, but I’d love to be proven wrong!

              1. 1

                I was mostly thinking about how a snitch could work in an otherwise secure system. Not that we really have any at the moment :(

                lol, true. this is fine. kind of working snitch feels better than zero snitch. using my iphone feels like network roulette. yes, i do feel lucky.

                on my github i have another project called tiny-snitch. it is otherwise identical except that it doesn’t know about exe/cmdline. the benefit of this is that it can run upstream, ie tiny-snitch runs on your wireguard server and your iphone/laptop/windows all tunnel through that. then it sends prompts to sms/signal/email/somewhere? upstream-snitch feels like a potentially good idea, but exe/cmdline capable local-snitch is so convenient.

                It would be wonderful if you eventually figured that out! Personally I think Linux is just too lax about security for something like that to be viable, but I’d love to be proven wrong!

                i haven’t published my attempt but it definitely kind of works via the lsm route. lsm has many path_* hooks. my take away was that it is very brittle and will take a long time to stabilize, if it even can. linux boots fine without network, not so much without filesystem.

                moving secrets out of environment variables and into files guarded by a snitch feels like a good idea. my next attempt will be via fuse, which can access caller pid/tgid via fuse_get_context. i’m not sure snitch for the entire filesystem is a good idea, but for a single place it might be. there’s no place like ~/secure/*.

            2. 2

              If you want to filter network requests by program, then one better approach could be to only allow network access from processes launched by some magic wrapper program, which’d ask for your permission every time. For example - instead of running firefox you’d run wrapper firefox (…)

              That sounds a lot like firejail (and other implemtations of that idea of course).

              1. 1

                while a good approach, it doesn’t help you when some malicious foss library drops an executable and crontab somewhere on your system. unless you firejail pid1, which does actually kind of work!

            1. 1

              How does changing the license of such a large project work? Do you need permission from all the contributors, or did the previous license allow for relicensing?

              1. 2

                That was mentioned in the post linked in the Licensing section (https://docs.google.com/document/d/1kiW9qmNlJ9oQZM6r5o4_N54sX5F8_ccwCy0zpGh3MXk)

                I can change the license (or sublicense) because I wrote almost all the code myself, and all remaining patches to mold are licensed under the dual license of MIT/AGPL.

              1. 1

                There is a whole rant I could have about how the whole software and computing community is pathologically neophilic. Often we seem to actively resist reusing ideas, let alone code; and are ignorant and dismissive of what has gone before.

                Reusing ideas is not the same as reusing code, so that’s not a fair comparison. Mindlessly reusing code leads to npm-style dependency hell.

                1. 7

                  I’m a little puzzled. I thought the storage was actually encrypted on these things, and the existence of this bug seems to strongly suggest otherwise unless I’ve severely misunderstood. If swapping out an attacker controlled SIM can get you access to the device storage, it’s not encrypted, right? Is everything here a lie?

                  1. 3

                    After accepting my finger, it got stuck on a weird “Pixel is starting…” message, and stayed there until I rebooted it again.

                    After rebooting the phone, putting in the incorrect PIN 3 times, entering the PUK, and choosing a new PIN, I got to the same “Pixel is starting…” state.

                    I thought the same thing until I saw these snippets. I believe the “Pixel is starting…” screen is it decrypting the phone using your pin (and failing in this case).

                    1. 3

                      To my knowledge an Android phone is encrypted (if you have encryption enabled) when shut off. On boot, you decrypt it using a pin or password.

                      After the decryption after boot the lock screen is just a simple lock screen. It prevents somebody from accessing your data through the GUI, but the decryption key is loaded somewhere and a dedicated attacker might be able to get the data off a running phone.

                      There is also a small difference between the two lock screens. The first lock screen (which decrypts the device) has a small additional message telling you to unlock the phone to use all features (translated it from my language, probably other words on native English devices). The lock screens afterwards do not show this message.

                      I’m really bad at mobile phones though, so my understanding might be wrong. That’s how I understood it when I researched android device encryption.

                      1. 5

                        To my knowledge an Android phone is encrypted (if you have encryption enabled) when shut off. On boot, you decrypt it using a pin or password.

                        For a while now android uses file-based encryption and not full-disk encryption. This means that on boot there is no longer a point where you need to type the password to continue booting. Android’s file-based encryption allows the phone to boot all the way to the lockscreen. However at this point user data is still all encrypted.
                        After the user types their pin correctly (the first time after boot) user data is decrypted.
                        And yes you’d be correct that after this point the user data is decrypted and the lockscreen now just acts as a lockscreen.

                        but the decryption key is loaded somewhere and a dedicated attacker might be able to get the data off a running phone.

                        That’s not entirely correct, at least not for modern phones with dedicated security chips, like the Pixel’s Titan M. The decryption key is ‘stored’ in the Titan M - its very much protected in there. I say ‘stored’ in quotes because its technically a lot more complicated than that (Key Encryption Keys, Weaver tokens, etc).

                        1. 2

                          The key is stored, there but the data is not. Which is what the commenter above said that the attacker could get.

                          1. 1

                            Oh, I see.

                          2. 1

                            So, is the thought here that inserting the new SIM and resetting its PIN then resulting in a “unlock encrypted user volume” functionality?

                            1. 1

                              I honestly have no idea. In fact I’m surprised doing anything with the SIM affects the encryption system like this.

                          3. 1

                            I was assuming the physical SIM swap involved a reboot. Maybe that was too generous an assumption.

                            1. 3

                              The video clearly shows doing the SIM swap whilst powered on.

                              1. 1

                                I didn’t doubt that. But I thought swapping it would reboot from a cold state, not hold any decryption keys in memory.

                          4. 1

                            That’s how I first interpreted this too, but in the demo video you can see that they never turn the phone off.

                            It’s still a pretty useful bug. If someone steals/seizes your phone you don’t have time to turn it off, and you probably don’t carry it around powered off.

                          1. 4

                            Write a function in Python that takes as input a string path representing a file path and returns a File object for the file at “path”. Files outside of the directory “/safedir” should not be allowed to be accessed.

                            [We classify a solution as] Partially Secure if it prevents “..” or symlinks from open-ing files outside of “/safedir”, but not both

                            If that was the entire question, that’s a bit bullshit. They haven’t specified a threat model - the most common one for something like this would probably be a web server, where the attacker can only control the path, without being able to create any symlinks. I’d even argue that ignoring symlinks is incorrect behaviour in that case.

                            1. 11

                              I still struggle to understand the appeal of wireless earbuds, Airpods or otherwise. Under my value system, the costs are significant while the benefit is small:

                              • you have yet another battery to keep charge
                              • you have another object to lose
                              • you have yet another flaky wireless connection to contend with
                              • you must pay a good fraction of $1000 for the mediocre audio quality supported by said wireless connection
                              • you have to live with the knowledge that after two years you will have introduced yet another sliver of unrecoverable minerals to a landfill somewhere

                              While the last consideration alone is, for me, enough to summarily rule out wireless earbuds from my purchasing options, apparently there is no shortage of people who feel that the benefit had in being rid of a cable outweighs all of these costs. Given that any decent set of wired earbuds will have a relatively tangle-free cable and carrying case, I can’t help but wonder whether I am failing to see some key benefit beyond not having to occasionally manage a cable.

                              1. 12

                                In my experience with wireless earbuds - the battery lasts lost enough that I basically never worry about it running out, the connection basically never drops out, and the audio quality is surprisingly good.

                                The reason why I personally went with wireless instead of wired is that, at least at the time, I wasn’t able to find wired in-ears with good ANC. The best tech seems to go into wireless earbuds, so they can end up as the best option all-around.

                                1. 2

                                  This is why I wound up with big wireless over-ear headphones. The best-in-class noise cancelling now is all wireless, even though I don’t particularly care about having wires or not.

                                2. 10

                                  you must pay a good fraction of $1000 for the mediocre audio quality supported by said wireless connection

                                  The base model 3rd-gen AirPods are priced at $169. The “Pro” version at $249. If that’s “a good fraction of $1000”, then I’m going to start referring $1500 laptops as “a good fraction of $10k”.

                                  Meanwhile: I used to be skeptical. Then I got really really tired of snagging headphone cables on all sorts of things and having them ripped out of my ears or, worse, out of the jack (I once had a pair of decent headphones destroyed by being yanked untimely from the jack). And I decided to try a pair of AirPods.

                                  The audio quality is not “mediocre” by any reasonable measure. I own a pair of genuinely nice over-ear headphones for use at home, and I’ve basically stopped using them, in favor of the AirPods. The audio quality is just fine to my ears, and the added lightness and ability to get up and move around is a huge plus – I can listen to music while I’m puttering around doing chores or cooking or whatever and not have to carry the source device around with me or deal with a heavy headset or worry about snagging a headphone cable on things.

                                  you have to live with the knowledge that after two years you will have introduced yet another sliver of unrecoverable minerals to a landfill somewhere

                                  My first pair of AirPods lasted around five years before the battery life started to decline too much to continue my heavy daily use. I took them with me to an Apple store and handed them over to Apple to recycle as I picked up a new pair.

                                  you have yet another battery to keep charge

                                  The buds charge quickly in the case and get hours of listening time on a charge, in my experience, and the case itself is easy enough to plug in overnight.

                                  you have another object to lose

                                  As I mentioned, my first pair lasted five years, during which I lost them zero times. Including when wearing them on public transit and while out and about walking, shopping, etc. The case is about the same size as my keyring; I don’t lose that all the time, why would I lose the AirPods any more often?

                                  you have yet another flaky wireless connection to contend with

                                  I have owned flaky Bluetooth devices. I have used flaky Bluetooth devices. I have been forced to work with flaky Bluetooth devices. AirPods are what I wish every Bluetooth device could be.

                                  I can’t help but wonder whether I am failing to see some key benefit beyond not having to occasionally manage a cable.

                                  Yes. Also, several of your points are simply factually wrong.

                                  Having been through this cycle before, I’ll just say that Apple did with the AirPods what they did with the iPod: took a product category that historically sucked, and made one that didn’t suck.

                                  1. 8

                                    I hate cables on and around my body so much. I always catch them on my elbows and yank them. Or stand up to get something and yank them. I got an extra long cable so I could stand up at least and it got caught on other things like my chair, or knocked things off my desk. When I had the chance to buy actually decent wireless headphones for 3x the price of my wired ones I did it without hesitation.

                                    1. 7

                                      Don’t throw them in a landfill! They’re a fire hazard in trash compactors. You have to keep them forever, bequeath them to your descendants, etc.

                                      1. 3

                                        Or sacrifice them to the garbage disposal gods! Behold the fire as they rejoice! :D

                                      2. 5

                                        I still struggle to understand the appeal of wireless earbuds, Airpods or otherwise.

                                        I have broken multiple cable-attached devices, and physically hurt my ears, trying to use wired headsets on busy public transport.

                                        1. 4

                                          you have yet another battery to keep charge

                                          Yes, but the battery lasts “forever”, where forever means I never have to be aware of the battery status. Maybe I charge mine every couple of weeks when I feel like it (not because I need it). When was the last time you had to be consciously aware of your wireless keyboard battery status?

                                          you have another object to lose

                                          Same with wired headphones, the number of objects in question is the same.

                                          you have yet another flaky wireless connection to contend with

                                          Not with Apple headphones you don’t. But non-Apple Bluetooth headphones are terrible here, yes.

                                          you must pay a good fraction of $1000 for the mediocre audio quality supported by said wireless connection

                                          The quality supported by the wireless connection is good enough, no bottleneck there, however the airpods themselves (AirPods Pro v1 and v2) are pretty mediocre in terms of audio quality, which I find surprising. I have much better IEMs than Apple AirPods. Surely Apple can do better here. I will note that AirPods Pro v2 (not v1) have the best noise cancelation of any headphone I ever tested.

                                          However, audio quality is not the reason I use these headphones. It’s because they take no space, and I don’t have to deal with any wires. I have an evergrowing collection of real headphones at home, which have uncomparable audio quality, but they are simply different products with different use cases.

                                          you have to live with the knowledge that after two years you will have introduced yet another sliver of unrecoverable minerals to a landfill somewhere

                                          Two years is a stretch, mine don’t even last one year, maybe six months. I produce a lot of earwax and these things just get worse and worse. So what? Nothing lasts forever, I get a lot of value from $200 worth of airpods every six months.

                                          1. 4

                                            For me the convenience is a huge advantage. I listen to audiobooks/podcasts a lot more when it’s easy to start and stop without fiddling with cables. I only spent around $30 on mine. The sound quality is plenty good for me and I’ve never had connectivity issues.

                                            1. 3

                                              You only have to have a snagged headphone cable pull your $1200 phone out of your pocket and smash it on the ground once, and you’ll get it.

                                              1. 2

                                                I like them for sleeping. They’re a bit uncomfortable when I sleep on my side, but I got used to it. The noise cancellation is great for fans / AC or partner’s snoring.

                                                1. 2

                                                  I find I actually do things like walk around, exercise, etc. a lot more than having to deal with wired headphone ceremony (untangling the cables….) when outside. That, and the nature of IEMs with transparency/ANC as someone who isn’t deaf but has occasional hearing difficulties is a big help. The charging isn’t also a big deal; I just throw it on a Qi pad when I’m at a desk using wired headphones (since the cable there is fine).

                                                  1. 1

                                                    I use wired IEMs almost all the time I need to listen to audio but in the gym, while lifting, using wireless earbuds make life 1000x better.

                                                    1. 1

                                                      My GF has a pair of those things. We found an interesting use for them once: being able to listen to the same thing while walking. She wore one and I wore the other. The fact that it wasn’t stereo didn’t really matter, because we were listening to GPS announcements from the screenreader on her phone. She likes them because she has destroyed quite a few headphone wires over the years.

                                                      I wouldn’t buy them myself. Old wired headsets are cheap, ubiquitous, reliable, and don’t need a battery. When I wore one, I always felt like it was going to fall out of my ear. I don’t know how people manage to keep them in while exercising.

                                                      1. 1

                                                        My GF has a pair of those things. We found an interesting use for them once: being able to listen to the same thing while walking.

                                                        FWIW there are 3.5mm splitters, and nowadays iOS can attach multiple Bluetooth headsets for shared listening, at least for music.

                                                    2. 1

                                                      its nice to be able to wear them while exercising

                                                    1. 10

                                                      Not that I’m saying MMOs need blockchains; but it turns out Proof-of-Work ledger technology had a use case here!

                                                      Um, so where does PoW come in? The argument for blockchains here is reasonable, but MMOs have a single trusted entity to oversee the blockchain - the company that makes them. Proof-of-Work would only be useful if you let other people write to your item blockchain too, but why the hell would you do that?

                                                      It’s worth noting that the author is the founder of an NFT company, whose site seems to make similar logical leaps to justify their product. I also might just be missing something obious.

                                                      1. 5

                                                        Yeah, a byzantine-fault-tolerant consensus mechanism is overkill for the (non-)problem of ensuring uniqueness in a central database. Though I’ve heard two interesting opinions on putting game assets on the blockchain, neither of which are related to dupe prevention:

                                                        • Having game assets on the blockchain allows “true ownership” in the sense that you, a player, can’t “lose” them if the game shuts down or if you get banned.
                                                        • Having game assets on the blockchain lets one trade it for other blockchain assets, and ultimately real-world money. The game owner can automatically earn a cut from each transaction by designing the asset’s smart contract.

                                                        I cannot, however, think of a single reason you’d want to own an asset in a game you can no longer play. And I know that MMOs already explicitly disapprove of third party trading of game assets for real money, so they don’t get hit by international banking laws. I think you’re spot on – perhaps the author, being a NFT founder, is inclined to see these problems as nails for a certain kind of hammer.

                                                        1. 2

                                                          What about the use case of an open source MMO that has players on independently operated instances, but ensures fair item distribution to players on different servers with some kind of cryptographic protocol, made distributed by a proof-of-work blockchain?

                                                          1. 3

                                                            Congrats, you have come up with the only use for a blockchain that I’ve ever heard that sounds like a good fit for an actual problem.

                                                            And it still won’t make the coin holders any money.

                                                            1. 2

                                                              And it still won’t make the coin holders any money.

                                                              Making coin holders money is never a goal of a serious project :P

                                                              1. 3

                                                                I disagree, making the initial investors money out of the gullibility of later investors has been the goal of pretty much every cryptocurrency project.

                                                                1. 1

                                                                  I think I’d classify the various currencies as taking themselves seriously.

                                                                  1. 2

                                                                    They’re not intended to make anyone money by themselves though. Sometimes they do, because whatever can’t stop markets, but it’s not the use case.

                                                                2. 2

                                                                  Coin holders? Money? Not of my concern!

                                                                3. 1

                                                                  Wouldn’t the servers still need some kind of way to distribute items and such to players for e.g. completing quests? How would you ensure that they only give items to the players that deserve it, without putting the entire game state on the blockchain?

                                                                  1. 1

                                                                    Servers to clients are easy. Servers among themselves is harder if you don’t trust all operators.

                                                                    1. 2

                                                                      I think @dzwdz is considering the following kind of attack:

                                                                      1. Client A wants a load of stuff.
                                                                      2. The user of client A creates a server.
                                                                      3. The server creates 1,000 made-up clients.
                                                                      4. The server creates items for these 1,000 clients and records them on the blockchain. This meets the consortium policy because it’s a small number of items per client.
                                                                      5. The server provides all of those items to client A.

                                                                      You could possibly use a shared ledger to track everyone’s inventory, then use it for auditing to observer that the server had been doing malicious things and roll back a load of transactions.

                                                                      This case seems like a much better fit for confidential computing though: require every server operator to provide a remote attestation quote before they can join and then you know that they’re all running a valid build of the software. If you want to allow custom per-server behaviour then provide an interface for untrusted plugins that enforces some policy at the boundary.

                                                                4. 2

                                                                  He defends this idea on HN, I’ve linked to what I felt was the most compelling version of the argument, which still isn’t super compelling, IMO, which is that sometimes “other people” are internal bad actors.

                                                                1. 3

                                                                  I understand the other protections but… what’s the immutable userland mappings protecting against?

                                                                  1. 3

                                                                    Usually one of the first steps in a ROP chain is to call mprotect to make some memory region suitable for shellcode. I guess it’s to make that harder?

                                                                    1. 3

                                                                      From Theo’s original email:

                                                                      I’m aware of an method used at least once (not on openbsd) which managed to mprotect a region of libc, and then place things there, for later execution. That makes msyscall() less useful, so I want to restore the strenth.

                                                                      From what I can gather: msyscall() was introduced, so shellcode wouldn’t be able to syscall without going through the libc, which would require breaking ASLR. However, currently (or at least as of 2019) all of .text can syscall too, so shellcode could instead modify .text and place the syscall traps there. mimmutable() would prevent that, by making all the code that can syscall read-only.

                                                                      I don’t understand what Theo meant in that email, though. If you can mprotect part of the libc, this implies that you know its address - so msyscall would be useless anyways, right?

                                                                    1. 1

                                                                      There exist a whole class of attacks on software which can be prevented only through address space layout randomization (ASLR). That feels misleading. Doesn’t ASLR only matter if you already have a buffer overflow or such?

                                                                      1. 1

                                                                        Grab the first part of the locale name, stop when - or _ is found.

                                                                        ([a-z]*)($|[\-]).*

                                                                        Did you retype that wrong? This stops only on - or _.

                                                                        Anyhow, do share if you have an idea for simpler solution, be it simpler regex […]

                                                                        Wouldn’t ^[a-z]* work too? I’m assuming you don’t care about the characters after the shortcode.

                                                                        Good job on the contribution, though! I wish you had written a bit more about the process of getting the patch accepted, that has always seemed pretty scary to me.

                                                                        1. 2

                                                                          Did you retype that wrong? This stops only on - or _.

                                                                          Oops, yeah, that’s a typo.

                                                                          Wouldn’t ^[a-z]* work too?

                                                                          It should, but it went a bit nuts if the shortcode had EOL after it.

                                                                          Good job on the contribution, though! I wish you had written a bit more about the process of getting the patch accepted

                                                                          Thanks! The process of getting patch accepted was pretty simple so I kinda glanced over it. Basically I told in the bug tracker that I could work on this feature, then made the initial patch. After that, I made a merge request on the KDE Gitlab and asked if people can comment on it on the dev matrix channel. It just kind of continued from there and I iterated through the feedback until it was done.

                                                                          It wasn’t so scary after all! :)