1. 9

    Maybe start simple with a typical web forum, discourse or what not.?

    1. 9

      Communities like this care more about the people and less about the shinyness of the software. A forum software would get something in production that people can use now instead of writing something bespoke. Great suggestion.

    1. 12

      In hindsight, I should have submitted the article that has the technical details, which is at https://hacks.mozilla.org/2021/02/introducing-state-partitioning/

      1. 18

        Sorry the article is so vague; I couldn’t find a better, more technical post. The meat of this story is that, in iOS 14.5, pointer authentication (literally signing pointers in memory) is being extended to the “isa” pointer located at offset 0 in every Objetive-C object. This points to the object’s class data (sorta like a C++ object’s vtable pointer.) Signing this pointer prevents unauthorized swizzling — changing the class of an existing object — which is a very powerful way to change behavior, and apparently widely used in iOS hacking.

        I actually had never heard of pointer signing before. It sounded crazy to put a MAC in the high bits of a pointer and verify it while dereferencing, but it’s done in hardware by the CPU which I guess makes it fast enough to be practical.

        1. 1

          It’s interesting that they’re doing this with the isa pointer, because Apple is already stealing all of the bits that PAC uses for a bunch of other things in Objective-C (inline ref count, for example).

          1. 1

            Also known as memory tagging. It’s also a feature for new ARM chipsets.

            1. 9

              PAC and MTE are not the same thing.

              PAC is a extension that signs pointers whereas MTE adds tags to pointers and memory regions.

              PAC is an ARMv8.3 extension; MTE is an ARMv8.5 extension.

              1. 1

                Oops. Thanks, Alex :)

          1. 1

            This is impressive enough, that I’ll consider switching in my toy project (an IRC bot that is storing lots of data in a hashset for deduplication). Coming to think of it, the raspberry pi it’s running on probably doesn’t have hardware support for AES-NI though..

            1. 1

              When I switched I saw performance improvements even when I compiled without AES (on x86_64, though, so may differ for you).

            1. 2

              I studied under Prof. Paar, one of the authors of the textbook you linked. Amazing material, great didactics but mostly introductory.

              Follow it at your own pace (was 1 year in Uni, but I expect it could be done faster). and after that, I’d recommend self-study and programming with the crypto pals challenges.

              1. 1

                His lectures are available online for free, and they’re probably the most approachable and comprehensive ones I’ve seen: https://youtube.com/channel/UC1usFRN4LCMcfIV7UjHNuQg

              1. 2

                In one of the systems I was working on I’ve used a whitelist-based approach rather than blacklist one. I agree this maybe reduced one category of bugs, but at the same time it introduced another, where functionality often didn’t work until I’ve updated the whitelist. So I guess this whitelist-first approach instead of blacklist-first approach is really a trade; an exchange of one category of bugs to another. Which in case of trading security bugs to functional bugs could be a net positive, but it’s a good idea to think about what category of bugs are actually being traded.

                1. 5

                  I agree this maybe reduced one category of bugs, but at the same time it introduced another, where functionality often didn’t work until I’ve updated the whitelist.

                  That’s the goal. Deny-list approaches fail open, allow-list approaches fail closed. If you forget to put something that you need on your allow list, some feature that your users care about will stop working and you will get useful bug reports. If you fail to put something that you don’t need into a deny-list then an attacker can exploit it and you don’t get any bug reports.

                  1. 3

                    100% this. If the default-deny causes you to think through a new code path during development, then you’re paying the lowest possivle cognitive price you’ll ever get. If you notice something is off during development and testing then you’re right there.

                    Imagine you had a bug report that sometimes works most of the time, except once or twice. Good luck investigating, when you got a whole stack of technology to wade through. It’s more time-consuming, more frustrating for the users and maybe even pissing off your ops team.

                    Bonus: once in this mood, you are also less likely to come up with a thorough solution that catches all of the possible facets of “badness” and you’ll end up in the sad place again and again.

                1. 4

                  git worktree. Look it up.

                  1. 3

                    If you want to run code, then wasm should be your thing. By default wasm doesn’t define any APIs and if there are some, they are handed in from whatever is instantiating the module (this is also known as capability-based security, because it can only access things that you explicitly put into its namespace).

                    There are WebAssembly runtimes that are not in the browser, so that might solve your use case? Specifically, if you define your own APIs and hand them into the module.

                    1. 1

                      I think the whitelist approach is a must here, but in your view what is the benefit of webassembly over an approach like gVisor or mbox where a supervisor process proxies all system calls?

                      That supervisor process can choose to expose as wide or as narrow an API as is desired in either case.

                    1. 11

                      Why is it so hard to supply a reasonable example in the article?

                      1. 22

                        because it’s not an article, but a mailing list post for people with context?

                        1. 3

                          Why not use tar? If it has to be plain text, pipe into base64. Nothing beats the portability of using widely distributed tools imho.

                          1. 3

                            Really here they are selling the idea more than program. It’s actually better.

                            1. 2

                              I though the same, then realized there’s some utility to what they are doing: they make the metadata like file names and locations plain text as well. I dunno if it’s going to take over the world, but it’s a neat thought.

                              1. 1

                                Doesn’t the tar command have an option to list the filenames and directories contained within? Sure, you have to run the command instead of simply opening the file in whatever text editor or reader.

                            1. 5

                              Why do you even need 5 tracking pixels? Isn’t one enough?

                              1. 11

                                The most obvious reason is that they may be getting money from the owner of each tracking pixel. Because of the way http works, cookies can only be set and retrieved on domains for which web requests are performed. Thus remarketing and measurement companies find it valuable to have cookies on their own domains.

                                Secondarily, having multiple tracking pixels can be useful for a complicated use-case that’s often called “cookie match”, but it isn’t strictly necessary for that purpose. Unfortunately, cookie match is still an esoteric subject; the best write-up I can give you about it is this article. Disclosure: I provided information for the article.

                                1. 1

                                  Because they are at least 5 companies who gather user data. This tracking only becomes viable if the user is visiting multiple websites with tracking from the same provider. Then a profile can be created. To be sure some websites send data to more than one tracking provider. Also websites usually only get access to tracking providers where they send data to.

                                  1. 1

                                    They will claim it’s for bot & Spam detection.

                                  1. 6

                                    There will be SNOW!

                                    1. 1

                                      Be careful what you wish for lol The weather here in Indiana for the last week has been:

                                      • Snow
                                      • Rain
                                      • Freezing rain
                                      • More snow

                                      Several asses have been busted on unsalted sidewalks in the last week or so.

                                    1. 3

                                      Good summary of upcoming changes to cookies (with the Same-Site Cookie default behavior changing) and the difference between an origin and a site.

                                      1. 5

                                        Literally happened to me with random u64 values passed through rust serde‘s json serialization. I worked around it with numbers stored as strings but was eventually able to use counters instead of u64. Was fun to debug.

                                        1. 45

                                          Secretly? /etc/apt/sources.list.d/ is the opposite of secret.

                                          1. 12

                                            Just a click baiting title, there is nothing secret about it.

                                            1. 10

                                              I wanted to comment exactly this. Don’t you see it in the output of apt update?

                                              Also, raspbian is not the only linux distribution one can run on RaspberryPI. At top of my head: Debian, Fedora and Alpine run on Raspberry PI 2+. And that doesn’t include the three major BSD systems which all run on it as well…

                                            1. 4

                                              Badly. (I sometimes blog about it.)

                                              1. 2

                                                I also put it on my blog so other people can find it too

                                                1. 1

                                                  I’m inconsistent about that, but I blog for two reasons:

                                                  1. Writing practice. I find my writing skills improve that way.
                                                  2. Help me remember things I’ve learned that either weren’t very discoverable from a search engine or that I’ve had to search for 3 or more times. (The act of writing helps cement it in my memory sometimes.)
                                                1. 3

                                                  Self-hosting-ish a blog of static pages. The rest is hosted by someone else.

                                                  I actually really don’t enjoy ops and maintenance. The little free time I get besides work and family is spent on goofing off on immature code to learn new concepts or language.

                                                  1. 2

                                                    How does this affect tracking through CDNs? When CDNs started getting popular and I asked how they avoid tracking users through referral headers, the answer was that the resource probably is cached anyway, so the information the CDNs are getting is minimal.

                                                    Now with partitioning, CDNs will get a lot more information on which sites are linking to them.

                                                    1. 1

                                                      Not exactly. The cache is keyed by the first party. Effectively, the resource from the CDN will be downloaded once for every site that is using it. The cache key is no longer “cdn.example/jquery.js”. When you use jQuery from that CDN on website.example the cache entry is”cdn.example/jquery.js, when used on webiste.example.”. Once you move over to other-website.example, the cache entry will not miss. The browser has to download jQuery again and can store it under the cache entry “cdn.example/jquery.js when used on other-website.example”).

                                                      Referrer information is soon going to be stripped more strictly for cross-origin requests too.

                                                      1. 1

                                                        Why “Not exactly”? Earlier, cdn.example.com would only get a referrer from website.example, not from other-website.example, because the resource was already cached. Now cdn.example.com will see both referrers. So as I already said, CDNs will get a lot more information from this change.

                                                        Referrer information is soon going to be stripped more strictly for cross-origin requests too.

                                                        That’s great and that would indeed be a great privacy improvement. Literally can’t wait.

                                                        1. 1

                                                          You can already strip referer headers with web extensions. See https://addons.mozilla.org/en-US/firefox/addon/smart-referer/

                                                    1. 7

                                                      I always wonder how much all the privacy changes going into Firefox effect measured market share. Also adblock usage, which I’d (blindly) assume to be higher on Firefox than Chrome.

                                                      1. 13

                                                        Mozilla has been placing ads in the German subway. (I’ve seen it in first in Hamburg, but I’ve also seen it in Cologne, Berlin and Munich) It says in German “This ad has no clue about who you are and where you’re coming from. Online-trackers do. Block them! And protect your privacy. With Firefox.” (Not my tweet, but searching for “firefox werbung u-bahn” yielded this tweet)

                                                        I feel that Mozilla is going all in on privacy. (Context: Germany is a very private society culturally and also due to its past. Also one of the country with the highest usage of firefox.)

                                                        1. 4

                                                          Firefox isn’t a particularly aggressive browser on privacy though, Safari and Brave are much further ahead on this and have been for a long time. I think at this point Mozilla’s claims to the contrary are false advertising - possibly literally given that they apparently have a physical marketing campaign running in Germany. Even the big feature Mozilla are trumping in this release has already been implemented by Chrome!

                                                          While I think privacy is a big motivator for lots of people and could be a big selling point of Firefox, I think consumers correctly see that Mozilla is not especially strong on privacy. Anyway I don’t see this realistically arresting the collapse in Firefox’s market share which is reduced by something like 10% in the last six months alone (ie: from 4.26% to 3.77%). On Mozilla’s current course they will probably fall to sub-1% market share in the next couple of years.

                                                          1. 10

                                                            You can dismiss this comment as biased, but I want to share my perspective as someone with a keen interest in strict privacy protections who also talks to the relevant developers first-hand. (I work on Security at Mozilla, not Privacy).

                                                            Firefox has had privacy protections like Tracking Protection, Enhanced Tracking Protection and First Party Isolation for a very, very long time. If you want aggressive privacy, you will always have to seek it for yourself. It’s seldomly in the defaults. And regardless of how effective that is, Mozilla wants to serve all users. Not just techies.

                                                            To serve all users, there’s a balance to strike with site breakage. Studies have shown that the more websites break, the less likely it is that users are going to accept the protection as a useful mechanism. In the worst case, the user will switch to a different browser that “just works”, but we’ve essentially done them a disservice. By being super strict, a vast amount of users might actually get less privacy.

                                                            So, the hard part is not being super strict on privacy (which Brave can easily do, with their techie user base), but making sure it works for your userbase. Mozilla has been able to learn from Safari’s “Intelligent Tracking Protection”, but it’s not been a pure silver bullet ready for reuse either. Safari also doesn’t have to cave in when there’s a risk of market share loss, given that they control the browser market share on iOS so tightly (aside: every browser on iOS has to use a WebKit webview. Bringing your own rendering engine is disallowed. Chrome for iOS and Firefox for iOS are using Webkit webviews)

                                                            The road to a successful implementation required many iterations, easy “report failure” buttons and lots of baking time with technical users in Firefox Beta to support major site breakage and produce meaningful bug reports.

                                                            1. 5

                                                              collapse in Firefox’s market share which is reduced by something like 10% in the last six months alone (ie: from 4.26% to 3.77%)

                                                              On desktop it’s actually increased: from 7.7% last year to 8.4% this year. A lot of the decrease in total web users is probably attributable to the increase in mobile users.

                                                              Does this matter? I don’t know; maybe not. But things do seem a bit more complex than just a single 2-dimensional chart. Also, this is still millions of people: more than many (maybe even most) popular GitHub projects.

                                                              1. 3

                                                                That’s reassuring in a sense but also baffling for me as Firefox on mobile is really good and can block ads via extensions so I really feel like if life was fair it would have a huge market share.

                                                                1. 5

                                                                  And a lot of Android phones name Chrome just “Browser”; you really need to know that there’s such a thing as “Firefox” (or indeed, any other browser) in the first place. Can’t install something you don’t know exists. This is essentially the same as the whole Windows/IE thing back in the day, eventually leading to the browserchoice.eu thing.

                                                                  On iOS you couldn’t even change the default browser until quite recently, and you’re still stuck with the Safari render engine of course. As far as I can tell the only reason to run Firefox on macOS is the sync with your desktop if you use Firefox.

                                                                  Also, especially when looking at world-wide stats then you need to keep in mind that not everyone is from western countries. In many developing countries people are connected to the internet (usually on mobile only) and are, on average, less tech-savvy, and concepts such as privacy as we have are also a lot less well known, partly for cultural reasons, partly for educational reasons (depending a bit on the country). If you talk to a Chinese person about the Great Firewall and the like then they usually don’t really see a problem with it. It’s hard to understate how big the cultural divide can be.

                                                                  Or, a slightly amusing anecdote to illustrate this: I went on a Tinder date last year (in Indonesia), and at some point she asked me what my religion was. I said that I have no religion. She just started laughing like I said something incredibly funny. Then she then asked which God I believe in. “Well, ehh, I don’t really believe in any God”. I thought she was going to choke on laughter. Just the very idea that someone doesn’t believe in God was completely alien to her; she asked me all sorts of questions about how I could possibly not have a religion 🤷 Needless to say, I don’t talk much about my religious views here (also, because blasphemy is illegal and people have been fined and even jailed over very minor remarks). Of course, this doesn’t describe all Indonesians; I also know many who hate all this religious bullshit here (those tend to be the fun ones), but it’s not the standard attitude.

                                                                  So talking about privacy on the internet and “software freedom as in free speech” is probably not too effective in places where you don’t have privacy and free speech in the first place, and where these values don’t really exist in the public consciousness, which is the majority of the world (in varying degrees).

                                                                  1. 3

                                                                    And a lot of Android phones name Chrome just “Browser”; you really need to know that there’s such a thing as “Firefox” (or indeed, any other browser) in the first place. Can’t install something you don’t know exists. This is essentially the same as the whole Windows/IE thing back in the day, eventually leading to the browserchoice.eu thing.

                                                                    Yes. And the good thing is: the EU commission is at it again. Google has been fined in 2018. Actually, new Android devices should now ask the user about the browser.

                                                                  2. 2

                                                                    The self-destructing cookies plugin is the thing that keeps me on FireFox on Android. It’s the first sane cookie policy I’ve ever seen: When you leave a page, cookies are moved aside. Next time you visit it, all of the cookies are gone. If you lost some state that you care about (e.g. persistent login), there’s an undo button to bring them back and you can bring them back and add the site to a list that’s allowed to leave persistent cookies at the same time. I wish all browsers would make this the default policy out of the box.

                                                              2. 4

                                                                But WhatsApp is still the main way to communicate.

                                                                1. 2

                                                                  That’s probably true in every country. The Germans I know are all big on signal.

                                                            1. 4

                                                              Note that Chrome implemented this earlier than Firefox: https://developers.google.com/web/updates/2020/10/http-cache-partitioning.

                                                              1. 12

                                                                It reads to me as if Chrome only partitions the http cache. Firefox does it for all network state.

                                                                1. 10

                                                                  Sure, meaning only that Google no longer needs this ability and is shutting the door behind them. When Google leaves the marketplace, it will be harder for someone else to replace their advertising dominance.

                                                                  1. 3

                                                                    A darkly cynical view (which I hope is not true!) is that Google no longer needing this misfeature is what made it politically possible for Firefox to implement their change.