1. 9

    Relatively misleading title - I thought we were getting an interesting new take on or analysis of context switching costs, process duplication overhead, etc. but the article was mostly “don’t call system or similar with an untrusted argument” which seems obvious.

    “Subprocesses are a code smell” seems to me to be a wholly unsubstantiated claim in the article. Subprocesses which kick off any command/program an attacker wishes? Definitely more than a code smell. Use of subprocesses at all though?

    1. 2

      It boils down to “don’t blacklist, whitelist“. The example git commit -m “<userdata >” is super safe if userdata matches [A-z0-9 ]+

      1. 2

        No, just use the correct API to run a program.

        1. 1

          What would ‘the correct API’ be for the case @ec mentions?

          1. 6

            libgit2. Maybe.

            I mean, it depends on why am I letting someone make commit messages?

            Sure, there’s lots of situations where libgit2 might be appropriate, but it’s a big dep. What am I doing, really?

            Maybe I just write the git objects directly. It’s not hard.

            But there’s also lots of cases where I would probably just use system. I don’t see what’s so hard about quoting/escaping, since it’s easy to make the shell will do it for you:

            if(0==setenv("message",text))system("git commit -m \"$message\" -a");
            

            @ec is right about input sanitising (though): Do I want someone to make a 64kb git commit message? Do I want a commit message that contains evil strings? If I try to build a blacklist, at which point is it good enough? This is an important point, it just has nothing to do with subprocesses.

            1. 4

              It depends on the language, but use the exec* functions or something that wraps them. In Python subprocess lets you pass in a list of arguments which is safe to escaping.

      1. 4

        This is news, and in this case the backing reddit link nor the post have technical analysis as to what design/architecture challenges led the ETH blockchain to this issue.

        I don’t think this is fit for lobste.rs - I don’t mean to be accusatory, I’d like to hear your thoughts and maybe we can open a meta thread for discussion. Thanks!

        1. 1

          eh, fair enough and sorry :-) I thought it was relevant enough that this network, that so many people are building on, could literally be clogged by cat pictures …

        1. 1

          Thanks so much for the awesome feedback, I’ll incorporate the comments here and on the gist itself.

          Additionally, information about many about.config items can be found deep in Mozilla’s documentation https://wiki.mozilla.org/.

          1. 18

            Non-obvious thing: configuring options makes you more trackable (by sufficiently advanced tracking tech — it’s possible to build a profile out of unavailable APIs, requested TLS ciphersuites, etc. — not everyone does this of course, but the ad industry is investing so heavily into development of trackers…)

            For that exact reason, the Tor Browser always opens with the same window size and doesn’t recommend resizing it.

            1. 5

              This. Thank you for reminding me of this. These settings definitely lean toward a more identifiable, more secure browser. There are both security and privacy settings in here, but customization in many cases can lead to trackability.

              1. 4

                This is why the Tor Browser aims for uniformity. If you want to be more private than private browsing mode, then use the Tor Browser Bundle.

                1. 2

                  So can we all stop using the web now or… ?

                  1. 2

                    Well, if you just block JS wholesale for sites that don’t know your date of birth anyway (like banks you use), API availability wouldn’t mean much. If you also write a script to randomly accept only some of the bad ciphers, please share.

                    1. 1

                      Or not care about privacy that much. Unpopular opinion, but I’m somewhat tired of this privacy obsession.

                      1. 2

                        please send me your name, age, date of birth, home address, browsing history, and the contents of all your emails.

                  1. 2

                    Would love feedback, comments, & improvements - thanks all.

                    1. 3

                      How do these compare to the Tor Browser settings?

                      I notice (when using Tor Browser) that many sites try to use Canvas for fingerprinting. Is this blocked by your settings as well? Or does uBlock take care of that?

                      1. 6

                        Firefox 58 will actually be getting the canvas anti-fingerprinting in the Tor Browser: https://nakedsecurity.sophos.com/2017/10/30/firefox-takes-a-bite-out-of-the-canvas-super-cookie/

                    1. 1

                      https://addons.mozilla.org/en-US/firefox/addon/clipsafe/

                      Shameless plug for a tiny FF add-on I wrote, clears your clipboard after pasting into a password field, to avoid accidentally pasting it elsewhere

                      1. 2

                        From the related GitHub page: Does not work if the OS uses the IOMMU/VT-d. This is the default on macOS (unless disabled in recovery mode).

                        Looks like the attack was relevant for the current OS, but on older hardware not defaulting to enabling Intel VT-d?

                        1. 6

                          Has anyone here ever tried https://github.com/martanne/vis ? I’d be curious to see how they compare.

                          1. 3

                            I’ve been using it as my main editor for monthes now, and it works extremelly well! Some features still need some polishing, but it has replaced vim entirely for me. Some hints I’d give to people wanting to do the same: learn and use multiple cursors! I use them instead of macros as they work interactively.

                            On the bad side, syntax HL is turned on by default (that my tastes though!), you cannot tab-complete file names in the status line yet (eg, :e name<tab>), and some characters are not possible to type (even whem pressing ^V). Otherwise, I feel more efficient with it than I was with vim.

                            1. 1

                              I haven’t, but it seems like the most obvious difference is the lack of overlays in vis.

                              Also, that it’s a real pain to install the Lua library that’s required for syntax highlighting in vis (it’s called lpeg) if you’re not on one of the supported distributions.

                              1. 1

                                I did while it was still rather young and had quite a few bugs rendering it pretty unusable for me, but I’m sure it’d be worth checking in again when they reach v0.3 or few milestones down the road.

                                1. 2

                                  I’m a fan of GPG specifically for self-attestation for a message, specifically using the strong, non-RSA-based ECDSA. For me, the GPG use case is a broadcast-style message that I want strongly bound to my identity, which for me is a rare but important case.

                                  1. 1

                                    It’ll be interesting to see how this affects the development of the project. Hopefully not negatively, although it may slow down feature dev, I hope it doesn’t introduce commercial interests into the core feature pipeline but rather into custom builds/configs as mentioned in the mailing list. I’m sure they’ll stay on top of immediate security fixes as always.

                                    Also, comments on the use of the release tag are welcome. I felt it landed in software announcements.

                                    1. 21

                                      For those curious why 4 or 6 specifically are a problem, since it wasn’t obvious from the thread: it appears that some routers on MPLS networks, which carry multiple types of packets on them (e.g. both Ethernet and IP packets), use the presence of a leading 4 or 6 on the packet as a quick test for whether it’s an IP packet (IP packets start with the IP version, so all currently start with either a 4 or 6). Since Ethernet packets start with the MAC address, a packet from a MAC address starting with 4 or 6 gets misclassified as an IP packet, and possibly gets the wrong thing done to it.

                                      1. 3

                                        Thank you for clarifying this