Threads for fkooman

  1. 1

    Interesting that in the other post on the homepage, about Fedora 36, they say they ship with 4.0.

    1. 3

      The 4.1 release will most likely soon be an update in Fedora 36…

      https://koji.fedoraproject.org/koji/packageinfo?packageID=26289

      1. 2

        Distros need to cut things off sometimes. I’m sad that they discontinued their kubic apt repository after it landed in Ubuntu, because the version that landed there is 3.4.4. It looks like if I want newer on Ubuntu I’m back to building my own debs like I was before the kubic apt repository was a thing.

      1. 20

        Too bad this is not the default in Firefox. It should have been, since AMP was first introduced. I will never use Brave because of their BAT cryptocurrency scam.

        1. 6

          Any resources/info on it being a scam (other than “it’s crypto”, ideally)? I was under the impression that it was a helpful idea, but maybe I’m missing something.

          1. 4

            My understanding is that they crawled social media to find photos of the owners of websites in order to make it look like the website owners were part of their website donation project. If people then subsequently donated in the belief that the money would go to the people Brave claimed it would go to, but the site owners weren’t participating in the project, the money would be held in some escrow account for some time until Brave took the money themselves.

            They’ve also been really shady in increasingly making their browser pretend it’s just Chrome, making it impossible to block or inform visitors about the scam.

            Here’s pushcx’s comment about it when it affected lobste.rs: https://github.com/lobsters/lobsters-ansible/issues/45

            EDIT: And here’s Tom Scott’s twitter thread about it: https://web.archive.org/web/20181224160027/https://twitter.com/tomscott/status/1076160882873380870

            1. 2

              Hm. I’d heard of those things. I guess I agree that’s not a great impression. I can understand why they would make such a mistake in good faith. Then again, when you’re trying to “fix the web” you can’t steamroll the very content creators you’re trying to help. And even if it was the result of ignorance as they suggest, it certainly calls into question their diligence in less visible parts of their operation. Maybe they need to do more to assure potential users of their ecosystem that such oversights won’t happen again.

              In any case, I can understand better now why someone would hew towards Firefox rather than Brave. What a shame… Anyways, thanks for your reply!

          2. 2

            They’re also run by a bigot. Stay away.

            1. 3

              don’t you work for google? might be worth mentioning if you’re commenting on an article about how a competing browser is sidestepping one of google’s more evil recent projects

              1. 4

                I’m not speaking as a Google employee and I don’t work on Chrome. It’s a big company. I did work on other browsers for a long time in the Mozilla ecosystem, including working with LGBT ex-Mozillans when we looked around the Prop-8 donations to see if anyone we knew had made donations and saw Eich’s significant donations to deprive equal human rights to people he knows and worked with. My feelings about this have nothing to do with who I happen to work for at one time or other. I’m a huge fan of a broad ecosystem of browsers offering a variety of takes on the web - I spent half my career working on that vision - but don’t get your supposedly privacy focused browser from someone with a history of attacking the human rights of vulnerable people.

                1. 3

                  If Brave’s technology is sound, it could always be forked. Similar to how people run de-Googled forks of Chrom(e|ium) to opt out of Google’s spying.

          1. 3

            It is not really difficult to make PHP software work with all versions from 5.4 until 8.1 with the exact same code. I am doing it for some of my projects. (Minor) release of PHP may require a few small tweaks, for example PHP 8.1 broke some of my unit tests because PDO (SQLite) will no longer stringify results:

            Integers and floats in results sets will now be returned using native PHP types. The previous behaviour can be restored by enabling the PDO::ATTR_STRINGIFY_FETCHES option.

            It requires some planning and some careful consideration when developing and adding dependencies. If you can assume at least PHP 7 a lot of stuff becomes much easier still.

            1. 3

              The browser UX could potentially be improved a lot by going back to “Basic/Digest Authentication” style where combined with a built-in password manager the whole login flow would disappear if TLS client authentication for everything is not achievable (yet).

              1. 18

                Am I stupid or is this post essentially just, “if someone gets access to your authentication tokens they can impersonate you”? Isn’t this expected? Is your threat model one in which a user who leaves their machine unlocked and logged in at a café should still be safe somehow? How would that work?

                And how is that specific to bearer tokens? If I leave my machine unlocked at a café, someone can take my SSH private key too; that’s not a bearer token. Why is it worse if someone gets my bearer token than if someone gets my SSH private key?

                1. 6

                  “if someone gets access to your authentication tokens they can impersonate you”?

                  Yes, that seems the complaint.

                  Isn’t this expected?

                  Currently yes, but I think that’s the idea the post complains about. It would be great if it wasn’t expected.

                  SSH keys can do slightly better. A file based private key without a password is not better than a bearer token. However we can go a bit further. Hardware tokens elevate the guarantee to “you haven’t stolen the actual hardware”. (Yes, you could tunnel the messages, but the driver could also validate the client, so that’s… complicated) This is similar to the idea of secure enclaves in the post.

                  1. 4

                    So what’s the solution for an authentication system where 1) I don’t need to re-authenticate (with a password, a hardware token, biometrics, whatever) for everyaction; and 2) I can safely leave my laptop unlocked in a café without “logging out” anywhere (which is the example proposed in the article)? What alternative to bearer tokens could possibly that?

                    1. 5

                      A tpm where the keys are write only and the computer has no unsigned writable persistent storage. Where the only thing of value on the machine is inaccessible proof of identity that allows you to to access someone else’s machine.

                      A thin client for the cloud, effectively.

                      I don’t think I want to own such a machine.

                  2. 1

                    Why is it worse if someone gets my bearer token than if someone gets my SSH private key?

                    That depends what you can with your SSH private key and with that specific Bearer token…

                    At least with SSH you could improve the security of your private key (somewhat) by having it encrypted with a passphrase on disk (default) and/or (somewhat more) by using a FIDO2 hardware token, this is not so easy with a Bearer token as those are supposed to be usable without “user presence”.

                    1. 7

                      So the complaint doesn’t have to do with bearer tokens; the complaint has to do with any system where the user doesn’t have to re-enter their password (or re-authenticate through other means) with every action.

                      1. 4

                        On the orange site mjg59 expands on his post thusly:

                        Hypothetical: I have a Github Enterprise org. Users log in via my identity provider to gain access. Github then issues a long-lived oauth token to the Github Desktop app. An attacker compromises a user’s laptop and copies that oauth token. That attacker now has access to all my private repos until I notice and revoke it.

                        Finding a solution to this particular problem without destroying the UX would be very nice!

                        1. 1

                          What about a rolling code system (similar to RKE used for vehicle fobs)? If someone steals & uses your key state, then your next code won’t work (because the attacker already used it). At that point you are forced to re-authenticate and invalidate the stolen state.

                          1. 2

                            I have a laptop and a desktop.

                            I reload and my connections get lost.

                            1. 1

                              Your laptop & desktop would not be sharing the same token/key.

                              1. 1

                                Doesn’t fix that sometimes connections crash. How do you verify you received the new token other than using it?

                                1. 1

                                  I don’t understand your question. Can you provide a concrete scenario?

                  1. 5

                    Fedora and Debian already have 64 bit releases for many years for Pi 3 (and also Pi 4 since a year or so, Debian since bullseye) with their normal release kernel. I fail to get excited about this.

                    1. 3

                      Not so long I got bitten by string array keys being silently converted to int when they can be interpreted as numeric, but not all numeric. The OP almost mentions this mixed in with the JSON encoding/decoding:

                      $ php -a
                      Interactive shell
                      
                      php > $foo = ["66" => "foo", "92" => "bar", "-1" => "baz"];
                      php > var_dump($foo);
                      php shell code:1:
                      array(3) {
                        [66] =>
                        string(3) "foo"
                        [92] =>
                        string(3) "bar"
                        [-1] =>
                        string(3) "baz"
                      }
                      php > 
                      

                      WAT:

                      Strings containing valid decimal ints, unless the number is preceded by a + sign, will be cast to the int type. E.g. the key “8” will actually be stored under 8. On the other hand “08” will not be cast, as it isn’t a valid decimal integer.

                      1. 1

                        Oh yes, that’s always a fun one to find by accident. My favourite WAT that I found is that this is valid:

                        foreach($x as $y->v(){0}) {}
                        

                        Fun to figure out why…

                      1. 32

                        We’re disabling HTTP/3 for the time being, which is hopefully picked up automatically upon restart. Restarting the browser should just help. If it doesn’t, disable HTTP3 manually.

                        Edit: The bug was in HTTP/3, but not in “all of HTTP/3”. We solved this on the server-end. A post-mortem will be held and I’ll make sure the outcome lands on lobste.rs

                        1. 17

                          Do I understand from this that Mozilla can just update my browser settings remotely without my updating‽

                          1. 21

                            Update: In the end, we disabled H3 on the offending server not in any client.

                            1. 8

                              Thanks for posting it here with your official hat on and being so honest! Mistakes can happen and exactly this behavior gives me confidence in the FF crew.

                            2. 18

                              Yes. This is part of the “Remote settings” service, which we can use to ship or unship features (or gradually) or recover from breakage (like here!). We mostly use it as a backend for Firefox Sync and certificate revocation lists. Technically, we could also ship a new Firefox executable and undo / change settings, but that would realistically take many more hours. Needless to says, every “large” software project has these capabilities.

                              BTW I’d encourage you not to disable remote settings, because it also contains certificate revocation updates and (obviously) helps with cases like this here. I understand that this is causing some concern for some people. If you’re one of those, please take a look at https://support.mozilla.org/en-US/kb/how-stop-firefox-making-automatic-connections

                              Edit: I’m told sync is using a different backend and some of this is inaccurate. It seems that lots of folks are linking to this thread, which is why I will leave this comment, but strike-through.

                              1. 6

                                How do I disable Remote Settings but keep CRL updates on?

                                1. 5

                                  CRL updates are part of the payload that the “remote settings” service provides. So, I’m not sure what you are asking. I only know of the all-or-nothing switch.

                                  1. 2

                                    I think driib is asking “If I control the DNS for a public wifi point, can I use an NXDOMAIN for use-application-dns.net and a spoof of aus5.mozilla.org to force an update to my own (possibly evil) version of Firefox; and if so, how do I defend against that?”. But I could be wrong.

                                    1. 1

                                      We sign our remote settings as well as our Firefox browser updates.

                                      1. 1

                                        Good.

                                2. 1

                                  😱

                            1. 11

                              Do we have a tag to filter out web3/blockchain/nft/crypto bullshit and suggest it to posts like these? “web” does not quite cover this…

                              1. 7

                                merkle-trees was made exactly for that

                                1. 2

                                  Well, if someone’s overly specific, that’ll filter out git posts too…

                                  1. 2

                                    That would be an incorrect tag, because discussions related to git should be tagged with vcs - “Git and other version control systems”.

                              1. 7

                                The original bug report as to why:

                                With Schools using Google Forms as a testing platform, students are able to use this shortcut to search through the source of the page, and determine the correct answers.

                                Use case: Admin wants to prevent and stop students from using View-Source as a way to cheat during exams, state testing and quizzes

                                1. 32

                                  Clearly, modifying the browser is the only possible technical approach that can stop people from finding test answers in the page sources of Google Forms. Google is otherwise completely powerless to prevent test answers from appearing in the form’s HTML.

                                  1. 15

                                    That’s an interesting thread. I’m surprised to see so few people saying “instead how about you fix these stupid websites to not embed this stuff in the page source.”

                                    View Source is one of the emblematic features of the open Web. Countless people got started with HTML (or picked up new tricks) by viewing the source of websites.

                                    1. 6

                                      View Source is one of the emblematic features of the open Web.

                                      No surprise that Chrome* is open to blocking it, then.

                                    2. 8

                                      Wait, are they serious?! Why on Earth would the answers even be in the HTML? That literally doesn’t make sense…

                                      1. 2

                                        I ran into this a while ago, doing some compulsory training for an employer.

                                        After digging around, it seems the quiz sections were transpiled from Flash into JavaScript, leading to trivially exposed answers in the source code. Because the Flash app itself was entirely client-side, and wasn’t validating the answers against a server.

                                    1. 2

                                      Hopefully these optimizations find their way to libosinfo so e.g. GNOME Boxes also benefits from this and some day may make it easy to install Windows 11 and macOS on a virtual machine.

                                      1. 2

                                        Installing macOS on anything other than Apple hardware (in a VM or otherwise) is a violation of the EULA, so I doubt GNOME would touch it. VirtualBox and friends include big disclaimers about this to avoid being hit with DMCA notices. Apple has a history of sending them to any project that makes it easy to install OS X / macOS in VMs on non-Apple hardware unless they include these disclaimers.

                                        I had a quick look at the Windows installs and I couldn’t see how you provide your license key there either. Microsoft provides Windows VM images with quite a restrictive license (time-limited, for evaluation / testing only) but it looks as if this is installing from the DVD install image - do you need to provide license info after the install is finished?

                                        1. 2

                                          That’s petty of them, I don’t see how you would be doing something that is unethical in any way. Modifying some UEFI tables and using a DMG you got from the app store on your own MacBook. Although, some laws are so crazy it might technically be very well “illegal” these days.

                                          Microsoft offers the ISOs of Windows 8, 10 and 11 directly from their site. For Windows 8 you do need a valid license key to be able to install it.

                                          For what it is worth, in GNOME Boxes you can specify the license key for unattended Windows installations. You can also do a “manual” install with Windows >= 10 where there is a prompt for a license key you can then skip. You’re then running in an evaluation mode that probably will expire at some point and you can’t change all settings I think. Good enough to test stuff with Internet Explorer though and run some tests with apps.

                                          1. 6

                                            That’s petty of them, I don’t see how you would be doing something that is unethical in any way

                                            macOS exists for Apple to sell Macs and is funded out of sales of Macs and related services and so the EULA requires that you buy a Mac to be able to run it. Whether that’s ethical or not, it’s definitely illegal.

                                            Running it on a KVM VM on a MacBook that’s configured to boot to Linux is fine and in accordance with the EULA (last time I checked, not sure if it’s changed, I am not a lawyer, this is not legal advice), but running it on KVM on a non-Apple machine is not.

                                            Most things that support running virtualised macOS are quite explicit about this because the DMCA has some quite specific wording that differentiates between things designed for copyright infringement and things that are dual-use and can be used for copyright infringement. If you provide tooling that is designed for running macOS on a Mac in a VM and is also useable on other machines, it’s a dual-use thing and Apple can go after the folks that use it to violate their copyright but they can’t go after their tool. If you provide something that is marketed as letting you run macOS on non-Apple hardware, then they can go after the tool.

                                      1. 4

                                        It is the default filesystem in Fedora since 33.

                                        1. 4

                                          Some kind of clue as to what we’re looking at here and why it is interesting would be super useful.

                                            1. 2

                                              The search engine calculates a score that aggressively favors text-heavy websites, and punishes those that have too many modern web design features.

                                              On my phone at the moment, the above is probably the shortest summary I can find on the About page.

                                            1. 3

                                              I’m using GrapheneOS’ infrastructure repo for inspiration for hardening my SSH server config: https://github.com/GrapheneOS/infrastructure/blob/main/sshd_config which seems to take things a bit further and removing legacy stuff, i.e. RSA.

                                              Also, I’m using AddressFamily inet6 to only listen on IPv6 which reduces the number of log entries from curious scanners.

                                                1. 2

                                                  This is not the content I come to lobster.rs for, but it is content I snorted water out of my nose to. It set me musing about the quality of products and what happens when true innovation stalls but units still need to be moved.

                                                1. 9

                                                  I found this document much more useful than an endless list of changes in the linked URLs.

                                                  1. 1

                                                    Thank you! I was having a difficult time parsing that format.

                                                  1. 5

                                                    LAMP is great, although I’m using LASP for many years now: Linux + Apache + SQLite + php-fpm. Even for new web projects this is a pretty good choice! I must admit, I do use a little Go where PHP doesn’t cut it (non-web, daemons, concurrency).

                                                    1. 1

                                                      Unfortunately the Fritz!Box does not allow you to modify the domain away from “fritz.box.”, which is extra problematic since “box.” is a real TLD… Maybe owned by AVM though, didn’t check.

                                                      1. 1

                                                        After experimenting with this, I am not sure how to solve the “graceful restart” automatically after a certificate has been obtained (or renewed). It seems you have to reload/restart Apache manually to actually start using the certificate. Just configuring it will not be enough! This is quite unfortunate and I wonder why the watchdog requirement does not take care of this?

                                                        1. 3

                                                          As far as impact is concerned, does this also affect something like JWT’s HS256 algorithm which calculates the HMAC over the header+payload?

                                                          1. 2

                                                            Looking at a PHP implementation here and here

                                                            • The number of pieces passed into the hash function is constant (2)
                                                            • Each piece is encoded (with base64url) and joined with a separator character (.) that isn’t in the same input domain as the encoded pieces.

                                                            They manage to narrowly avoid it in practice due to the fact that there is no input to urlsafeB64Encode() that creates the separator character. HMAC is also length-extension resistant, so that rules out that class of technique.

                                                            (There is the additional challenge of moving the concatenation point for two JSON objects such that the parser still returns objects, if you’re trying to do more than cause an exception after the payload has passed its HMAC validation. I haven’t explored that problem in detail.)