Threads for ianopolous

  1. 2

    It could be interesting to see if it is possible to use graalpython. It’s probably not compatible enough yet, but that could be solved. My guess (from Truffle’s results with other dynamic languages like ruby) is it will be faster than any other approach. E.g. being able to inline across the python/C boundary.

    1. 1

      Maybe. I hear that they still have long warmups though.

    1. 3

      Just a nitpick, but blogs should have the published date of the articles.

      1. 3

        Agreed. We actually have it in the source, but for some reason the Pelican templating isn’t outputting it.

      1. 5

        Look after the new fork()

        1. 41

          This take comes up every so often, e.g. in some of the linked articles. I’m sympathetic to many of the concerns raised, but I’ve yet to see serious engagement with some of the deeper issues raised. For example:

          • A significant number of security and privacy-enhancing technologies (PET) have received US military funding or other support. See: Tor from the Naval Research Lab, OpenBSD from DARPA. SELinux comes from the NSA. The Open Technology Fund has also support Ricochet, WireGuard, Delta.chat, and Briar (that the author recommends), etc. (link). Are all these tools suspect?
            • As an aside, the EU also funds a significant number of PETs. While not as egregious as the US, the EU is no enemy of mass surveillance, either.
          • One reason for Signal’s centralization is, in short, that it’s hard to update federated protocols, including their security features. E2E encryption in XMPP or email is still a pain, and far from usable for most people. I hope that e.g. Matrix can pull it off, but they face challenges that centralized services don’t. With a centralized service, you know that you can handle unforeseen security developments quickly. Shouldn’t this be a key priority for a security tool?
          • Using phone numbers as identifiers has its benefits: you don’t need to store users’ contacts on your servers. A service like Wire, that does allow you to sign up without a phone number, has to store your full social graph on their end. Avoiding this sort of metadata is a hard problem — Signal has opted for minimizing the amount they store.
          • It’s hard to overstate how much ease of use matters when it comes to gaining mass adoption for these tools. For a long time, privacy & security tools were super user-unfriendly, reserved only for a small technical elite (see PGP). If we want to combat mass surveillance, we need tools that the masses want to install (in my experience, it’s hard enough to convince activist groups to migrate off Discord or Slack — the alternatives need to be similarly easy to use).

          Not trying to shill for Signal — I share many frustrations with the author, e.g. on Signal’s approach to open source — but I’d like to see a little more nuance in articles like this one.

          1. 16

            Using phone numbers as identifiers has its benefits

            Indeed. This was WhatsApp’s big innovation, and is how WhatsApp basically took the ball away from the phone companies and made them into wireless Internet carriers. Signal is a WhatsApp alternative, and to be that it has to play in the same ballpark.

            1. 5

              And $50M of Signal’s funding (which is the majority of its funding) comes from one of WhatsApp’s founders. He probably has a lot more influence on the direction of Signal than the CIA and his motivation is to have something like WhatsApp that isn’t under Facebook’s control.

            2. 8

              A significant number of security and privacy-enhancing technologies (PET) have received US military funding [tor, OpenBSD, SELinux, etc]

              Not to mention the fact that the development of Internet itself was funded by the US military (DARPA).

              1. 5

                My take on the military-industrial-intelligence complex funding is that the NSA does it to provide communication security for US-backed dissidents in rival countries, to support “color revolutions” there. The fact that they may benefit activists and/or criminals in the US is considered an acceptable cost.

                I think that in principle, using phone numbers as identifiers is bad, and ignores realistic threat models for people like abused spouses. But in practice, it makes it much easier to get people to adopt it, because they don’t need to create a login and password, and you can use the Signal app as a simple drop-in replacement for your SMS app on Android, and get added security incrementally as your contacts adopt it. The frivolous stuff like stickers and gifs helps with this, and OWS have bent over backward to provide secure implementations that actually meet people’s needs.

                Centralized and federated protocols both have challenges (different ones) from security perspectives. In practice, Matrix is a little over-centralized right now, anyway.

                For me, adding a cryptocurrency for payments is Signal’s “jump the shark” moment, but I’m still using it for friends and family.

                1. 3

                  A service like Wire, that does allow you to sign up without a phone number, has to store your full social graph on their end.

                  There’s no need to do this. For example in Peergos you can sign up with just a username and password, but your server can’t see your social graph (short of doing timing + IP address attacks that also apply to Signal, even with sealed sender - and even these will go away once we have onion routing). You store your own social graph in your own encrypted data, without any visibility to the server. Of course this means that you can only add new friends by their username, but this becomes less of a problem when you allow discovering friends of friends via comments in your news feed.

                  1. 2

                    As an aside, the EU also funds a significant number of PETs. While not as egregious as the US, the EU is no enemy of mass surveillance, either.

                    The OP also has articles called “list of US hate crimes” and “list of US atrocities”, and he praises the Chinese for not using signal. I think being anti-US is as important to him as being pro-privacy.

                    1. 1

                      Adding Tor to the list of government funded PETs.

                    1. 2

                      Sounds fun! And I like your goals. Have you considered using the Truffle JVM framework to implement it? Then you only need to implement an interpreter for your AST and you get a state of the art specialised JIT compiler and AOT compilation for free, without needing to touch Java bytecode.

                      1. 2

                        Yeah I looked at Truffle a while ago, it seems really nice. It does conflict with my goal of being on the latest version of the JVM. I’d like to integrate with Valhalla and Loom asap, and the Graal VM seems to lag behind.

                        Since this is partially a JVM learning exercise, I feel like I wouldn’t benefit as much from using Truffle. However for building an actual language, it seems amazing. I’ll definitely look into it in the future as an alternative backend.

                        1. 2

                          Yep, makes sense. I still don’t understand why they removed the JVMCI interface from standard JVMs which meant you could use Graal on any JVM >= 9.

                          You might also be interested in a language someone else is writing on the JVM, though with different goals. They also happen to be the author of the Hotspot compiler (Cliff Click): https://github.com/cliffclick/aa

                          1. 1

                            Wow that looks super interesting, I starred it and will dive into the code later. Thanks for sharing!

                            1. 1

                              I’ve just double checked about JVMCI and it seems they didn’t remove the interface, just the Graal implementation, which makes much more sense. So one can in fact still use Graal and Truffle on any standard JVM >=9.

                              https://openjdk.java.net/jeps/410

                      1. 29

                        Disclaimer: This article covers various things that are NOT right up my alley, so I’ll comment only on some. I’m not going to use my Mozilla Security hat, because I mostly work on other things.

                        I know some of the claims are outdated. E.g., the JIT was rewritten and the analysis by Chris Rohlf doesn’t apply anymore. It is true that win32 lockdown and site isolation aren’t fully ready yet, unless you use Firefox Nightly.

                        1. 1

                          It seems from some of the issues linked from Fission meta bug that Firefox is implementing OOPIF. Is that the case now?

                          e.g. https://bugzilla.mozilla.org/show_bug.cgi?id=1698044

                          1. 3

                            Yes, enabling Fission means that different-site iframes are out-of-process.

                            Type “Fission” in the search field in preferences in Nightly to find the checkbox to enable.

                            1. 2

                              That is fantastic news! Thank you!

                        1. 4

                          Finally launching our decentralized encrypted social network in Peergos which is super exciting.

                          Also lots of gardening now the sun has discovered the UK still exists. More running too to counteract weight gain during lockdown.

                          1. 2

                            Lots of chocolate! Chocolate eggs and chocolate koalas. Also getting a new fence installed.

                            1. 4

                              As a consumer I don’t want anything to do with companies that use that level of tracking. I will happily pay for a product that respects me and my privacy. We really need OSes to focus more on privacy and locking down apps using a strict capability system. I’m not a fan of Apple, but at least they seem to be priming everyone for this with their privacy warnings.

                              1. 10

                                I like the aesthetic, but it’s incorrect about Java. There have been Java AOT compilers for decades, and, more recently, free and open source ones. These give you the same end result as Go - a small native stand-alone executable with no runtime except a GC.

                                1. 14

                                  Java AOT compilers are either slow or not fully compliant. There are a few things that make Java difficult for AOT compilation:

                                  • The class loader is part of the spec (and used by the standard library for locales, so the first printf triggers it). A fully compliant implementation must be able to load new Java bytecode. You need to either embed a load-time compiler or not support this part of the spec. This has a knock-on effect on devitualisation: Even if you can statically prove that it’s safe to monomorphise a particular call site given whole-program analysis, your analysis may become wrong after something is loaded.
                                  • Reflection means you can’t actually do reachability analysis if the reflection APIs are used unless you edge a bit closer to symbolic execution and determine an exhaustive set of all of the strings that might be passed to the reflection APIs. This makes it very difficult to create a statically linked binary that doesn’t include the entire Java standard library.
                                  • Every method is virtual except in final classes (where it’s logically virtual, but at least has only a single implementation). Most Java JITs completely discard final because they have more accurate information from the loaded set of classes, so there’s been no incentive for a long time to add final qualifiers on classes for performance. This means that you need to do devirtualisation if you want to do any inlining (which is where most big perf wins come from). This is relatively easy in a JIT: even without a trace-based JIT, you can identify monomorphic and low-order polymorphic call sites and inline and then deoptimise if a call site becomes megamorphic later.

                                  Most Java AOT compilers I’ve seen either completely punt on the class loader / reflection (and risk Oracle suing them, because they have a bunch of patents on bits of Java that are licensed only to 100% conforming implementations - they’ve probably all expired now though), require some special treatment (any class that you will load must be compiled to a .so), or hit really slow paths if you use them (e.g. including a simple interpreter that is used to run every dynamically loaded class, so you hit a factor of 10 or more slowdown when you use the class loader).

                                  1. 7

                                    The AOT compiler I linked can work on a closed world assumption, or it can embed a runtime class loader (which itself is AOT compiled) - you control this at build time. Reflection targets must be determined at build time, but this can be automated with a test run, and you can always manually add entries.

                                    As I mentioned, I’ve tried this out on a complex real world app and it worked fine and performance was excellent.

                                    GraalVM (Which native-image is part of) also has other cool stuff like being able to automatically AOT to a JIT based runtime for languages like javascript, python, ruby, wasm, llvm bitcode (c, fortran etc.) (given just an interpreter for that language) using their Truffle framework. The cool thing here is it can also do cross language optimisation. E.g. inlining a call from a ruby method to a C extension.

                                    1. 2

                                      Coincidentally, Amazon have just last week announced that their entire SDK supports this AOT compiler out of the box: https://aws.amazon.com/blogs/developer/graalvm-native-image-support-in-the-aws-sdk-for-java-2-x/

                                    2. 3

                                      Interesting, thanks. I’d heard of that, but I didn’t think they were widely used. When I’ve used applications written in Java I’d always had to run them with java -jar foo.jar or similar … then again, I guess if it was natively compiled I might not have known it was written in Java. Do you know how widely this is done, i.e., Java applications being distributed in a native, compiled format?

                                      1. 8

                                        This is the most recent one I was referring to: https://www.graalvm.org/reference-manual/native-image/

                                        I’ve used it myself on Peergos. Ended up with a 32 MiB executable (including 19 MiB of web assets, sqlite, postgres client, and FUSE bindings).

                                        Thanks for the great article!

                                        1. 4

                                          Nice, thanks for the link. I’m glad “they” are focussing on this for Java these days. 32MB for an app like that isn’t bad at all nowadays (it’d probably be a similar size in Go).

                                    1. 1

                                      if you look at the postJson funcition described in the article as an example of you-might-not-need-jquery. there is no error-handler. how do you find out if there was an error?

                                      1. 2

                                        The error handling I do have (for HTTP errors) is in the callback. I don’t have any error handling for network or lower-level errors here. For this use case it’s a somewhat throwaway or easily-repeatable action, and if nothing happens the user can simply click again. Not perfect, but I think reasonable for my use case here.

                                        1. 1

                                          You can set the onerror property to catch network level errors, e.g. https://github.com/Peergos/web-ui/blob/master/vendor/priors/gwt.js#L84

                                          1. 1

                                            Reminds me of the Turing Tumble mechanical computers for teaching kids (highly recommend).

                                            1. 7

                                              @soatok, I’m curious how you justify the assertion in the questions that the Signal servers have no way of identifying who can contact who? I know Signal blinds the sender of messages, but surely they still see the source IP address? Even if they somehow don’t, because they go through Google first or something, the timing is more than enough. In chats people frequently have a quick series of back and forth messages and over a little bit of time I’m fairly confident you could deduce the social graph from this.

                                              1. 5

                                                That’s a good question. I don’t know.

                                                It may be the case that, if Signal turned malicious and evil tomorrow, they would be able to identify who is talking to who via network timing, like you said. If that’s true, I wouldn’t know any reliable techniques from stopping that attack capability.

                                              1. 2

                                                Thanks! Very interesting! The 10X speedup for curve25519 is very impressive (in linked crypto report). I can’t wait for those primitives to be exposed in webcrypto.

                                                1. 1

                                                  A decentralized social network should have trust-less servers. The servers should just store encrypted data and serve it up, without being exposed to the social graph and with other metadata minimised.

                                                  Identity should also be independent of servers (and hence DNS).

                                                  At the networking layer they will also need to use something like onion routing or a mix network to fully protect the social graph.

                                                  I don’t think existing decentralized social networks can really achieve all this, because privacy isn’t an add-on, it needs to be a fundamental guiding principle at every layer of design.

                                                  1. 1

                                                    May I be debunked around post-quantum proof cryptography: Is it something to bother this early? I feel like this is up to CryptoPeople to tell to NonCryptoPeople about that rather than the other way around.

                                                    I have the impression that it is more about studying well how ciphers face the threat than finding the Golden Bullet.

                                                    1. 3

                                                      Should we be bothering with research and serious implementations? Yes. Quantum computers are an inevitability and it’d be nice to be ready when they’re there.

                                                      Should we be putting them in production? Probably not. Many NIST post-quantum cryptography candidates are still getting attacked left and right. And there’s a non-zero chance that the result will still either be impractical, patent-encumbered or both.

                                                      1. 2

                                                        Being able to build large enough quantum computers to break current asymmetric cryptography is definitely not inevitable. There are many issues that may end up making it physically impossible to make such a computer that runs long enough to do such a computation. Of course, it is prudent to assume it will happen and develop resistant cryptography in the meantime.

                                                    1. 2

                                                      Get a domain and put it on the Public Suffix List. Generate fresh subdomains e.g. .domain.tld for your iframe. Different origin, different security context.

                                                      If you want to opt in to be in a fully different process, you’ll need to look into Cross-Origin-Opener-Policy and Cross-Origin-Embedder-Policy (COOP and COEP). Even then, you might not, depending on browser and underlying operating system.

                                                      P.S: You may be able to cheat yourself into a separate process using https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Large-Allocation but that doesn’t work with iframes

                                                      1. 1

                                                        Hi @freddyb, thank you for the reply. We’re hoping to rely on OOPIF for isolation - my understanding is Firefox is planning on implementing that? We specifically don’t want to rely on the domain name system for a few reasons. We want to totally lock down the sandboxed code, so no web requests that aren’t intercepted by the service worker for example. This means we can prove that the apps can’t exfiltrate data. We decrypt everything locally and don’t want to expose that to code that is loaded from another server/domain, which you’d have to then trust.

                                                        Other reasons we don’t want to rely on DNS are that we want to be able to work fully offline (including being connected to some local nodes over P2P), and we want self-hosters to not need to do anything to do with domain names (nor to trust us and our servers). We can currently run a localhost Peergos instance which does TLS 1.3 to other Peergos instances using IPFS’s P2P streams, where the address is the public key hash of the target so no need for DNS.

                                                        I’d love to talk with you in more detail if your interested?

                                                        1. 2

                                                          OOPIF are mostly an implementation detail of chrome browser.

                                                          What you need from a specification perspective is your own browsing context group. That’s what you’d get with COEP & COOP.

                                                          1. 1

                                                            I’ve set up an analogous example using COEP and COOP to sandbox the iframe as well as CSP, but it seems to have exactly the same problem. After loading the root document of the iframe from the service worker, any subsequent asset request fails to be intercepted by the service worker and thus 404s. In this case it’s for the image burritocat.jpg

                                                            https://ianopolous.github.io/csp-sandbox/

                                                      1. 2

                                                        Not tested, but IIRC if tou do not use the sandbox attribute and instead use document.origin = document.origin you should get a cross-origin iframe environment that your service worker should be able to intercept…as it is in the same origin.

                                                        …don’t ask how I know this ;-)

                                                        1. 1

                                                          The point is we have sensitive stuff like encryption keys in the outer context. So we need full separate process sandboxing to protect from Spectre et al.

                                                        1. 4

                                                          I wrote up my thoughts on how users can protect themselves from this: https://peergos.org/posts/keybase-left-building