1. 32

    I don’t see why this progress bar should be obnoxiously put at the top of the page. It’s cool if you wanna do a donation drive but don’t push it in the face of everybody who comes here. Honestly at first I thought this was a bar for site expense. Then I realised it’s to ‘adopt’ an emoji.

    1. 7

      Lobsters isn’t a daily visit for most readers, probably even for most users. They can’t see it to join in if there isn’t anything visible for it, and it has an id for adblocking if you prefer not to see it.

      1. 22

        Personally a check this site quite regularly on my mobile device… which doesn’t have an ad-blocker.

        1. 13

          That sounds awful. If you’re an android user, normal uBlock Origin works on Firefox for Android just like it does on desktop. :)

          1. 3

            Or use Block This!, which blocks ads in all apps.

            1. 3

              Oh, that’s a cool little tool. Using a local VPN to intercept DNS is a neat trick. Unfortunately doesn’t help with in this case because it blocks requests to domains and not elements on a page via CSS selectors.

              That does make me want to actually figure out my VPN to home for my phone and setup a pi-hole, though.

            2. 2

              Ohh! Good to know, thanks.

            3. 2

              Firefox 57+ has integrated adblocker nowadays, on both desktop and mobile; plus, there’s also Brave.

            4. 27

              That is still annoying that I need to setup my adblocker to fix lobste.rs. So much for all the rant articles about bad UX/UI in here.

              1. 11

                maybe one could just add a dismiss button or sometimes like that? I don’t find it that annoying, but I guess it would be a pretty simple solution.

                1. 1

                  I concur, either a client side cookie or session variable.

                  1. 1

                    Well, yeah… that’s how you could implement it, and I guess that would be the cleanest and simplest way?

                2. 2

                  It’d be great to see data about that! Personally I visit daily or at least 3 times a week. Lack of clutter and noise is one of the biggest advantages of Lobsters. And specifically, I looked at the link, and I have no idea who this Unicode organization is, or their charitable performance, or even if they need the money. I’d imagine they are mostly funded by the rich tech megacorps?

                  1. 1

                    [citation needed] ;-)

                  2. 3

                    Adopting an emoji isn’t the end goal: the money goes to Unicode, which is a non-profit organization that’s very important to the Internet.

                    1. 5

                      If this bar actually significantly annoys you, I’m surprised you haven’t literally died from browsing the rest of the internet.

                    1. 12

                      I’ve changed my tune on Bitcoin recently for two reasons, despite still liking its ideals:

                      1. The government intervening in the economy is sometimes a feature, not a bug. In times of economic crisis, for example, the government has unique powers to help. Sometimes it is a bug, but Bitcoin seems to assume that any intervention by any centralized entity, at ALL, is malicious. In fact I intend to take an economics class to be better informed on this very issue.

                      2. The energy use is unconscionable. We’re already destroying the environment at a ridiculous pace and the Bitcoin space (to me, at least, bearing in mind that I don’t REALLY pay attention) seems to be full of anarchists who are determined to have their uncontrollable system at any cost, with absolutely no regard to seemingly unrelated consequences.

                      1. 13

                        The government intervening in the economy is sometimes a feature, not a bug.

                        If by “sometimes a feature” you mean “the only thing that prevents repeated economic collapse” then yes.

                        If you’re interested at all then definitely take a macroeconomics class. And history while you’re at it, especially pre-industrial and early industrial America.

                        1. 5

                          Sometimes == every time bitcoiners fall for a scam and lose money (and suddenly drop all the libertarian stuff and start crying for government help).

                          Look at /r/Buttcoin, the amount of fraud in the cryptocurrency space is beyond ridiculous.

                          1. 1

                            I agree with your observation, but I think understanding the cause is more useful than poking fun at it. I’ve gotten the sense that falling for scams is an expected cost to a certain constituency, specifically the people who are using cryptocurrency as a medium of exchange for things the governments they live under don’t approve of. I don’t expect the prevalence of scams to scare that group away. People who don’t share that driving concern should take note and understand that it’s always likely to be high-risk.

                          2. 1

                            Not that I’m in favor of Bitcoin at all (and I seriously agree with your first point) but I’ve also seen arguments that Bitcoin is used in some places (perhaps it was China?) to help mop up excess energy from renewable sources when they’re at peak output hours. I think the argument went that when the sun is high in the sky on a clear day, or when the wind is really blowing, energy companies will often turn off windmills or solar panels to avoid producing too much energy. In this case, Bitcoin can help use up that excess energy, and by turning it into cash, become a sort of renewable subsidy that makes it more attractive to build more renewable energy sources. I do know there are definitely places where a renewables-powered grid overproduces so much that energy prices become negative.

                            Perhaps this isn’t true, but I think it illustrates that maybe the energy problem is a more complex issue than it appears?

                            1. 7

                              Sounds like some fairy tale told by miners implying they are not mining 24h/7d a week.

                              1. 3

                                Mm, that matches my understanding of how energy production works, but it’s also the case that that energy could go into other things. I think it was actually here on lobste.rs that I learned about kinetic energy storage (roll a ball up a hill, to roll it back down later… that sort of thing) and how it’s used to smooth out energy demand.

                                There’s no way that Bitcoin miners aren’t making things difficult for grid operators. I agree with @isra17 that it’s an extremely self-serving claim.

                              2. -1

                                The energy seems like a fairly trivial cost to me. It’s a fraction of a percent. I’m willing to pay that price, and I’m also optimistic about the future of renewable energy.

                                1. 13

                                  The per-transaction electricity cost was 215kwh back in November - that’s not trivial in the slightest. At market rates where I live it’s $7 or so.

                                  Credit cards processors use several orders of magnitude less per payment made.

                                  1. 1

                                    Well in dollars terms it either is worth it or its not. I’m not particularly concerned about the environmental impact.

                                    1. 9

                                      And whom do you expect to deal with the environmental consequences?

                                      1. 2

                                        whoever’s dealing with it for the other 99.9% of the environmental impact from non-renewable energy sources

                                        1. 7

                                          That would be your descendants.

                                          1. 1

                                            o/ yo

                                            1. 0

                                              if their solution ends up involving defining standards for sufficiently useful computations, well, uh, godspeed

                                    2. 9

                                      A fraction of a percent of what? Energy use? Today Bitcoin is estimated to use as much energy as the country of Denmark. By 2020 is estimated it’ll use literally as much energy as we use in the entire planet today. I don’t particularly see how that’s trivial. Source: https://arstechnica.com/tech-policy/2017/12/bitcoins-insane-energy-consumption-explained/

                                      1. 6

                                        Today Bitcoin is estimated to use as much energy as the country of Denmark

                                        That’s far out of date. Denmark consumes approximately 3.5GW; bitcoin is now at about 5GW, somewhere between Hong Kong and Bangladesh.

                                        https://digiconomist.net/bitcoin-energy-consumption

                                        By 2020 is estimated it’ll use literally as much energy as we use in the entire planet today.

                                        No credible extrapolation is possible, obviously. Energy usage will drop fast when the bubble bursts.

                                        1. 0

                                          Because denmark has like 5 million people? I’m about as worried about bitcoin as I am another denmark popping up (the world gains like 12x the population of denmark every year)

                                          edit: re 2020: https://xkcd.com/605/

                                        2. 1

                                          I know next to nothing about cryptocurrencies, but my understanding is that Proof of Stake means we don’t need to use this energy. Many coins don’t use this because they weren’t sure whether it was secure. But recently the IOHK team has proven a secure Proof of Stake algorithm for Cardano.

                                          Is there a downside to this approach?

                                          1. 4

                                            The “Criticism” section on the Wikipedia article on Proof of Stake lists a few:

                                            https://en.wikipedia.org/wiki/Proof-of-stake#Criticism

                                            Note that Wikipedia is an ideological battleground when it comes to cryptocurrencies, so make sure to check the citations for a more comprehensive view.

                                            1. 2

                                              I can’t find the source for this despite having seen it just last night (sigh) but IOHK apparently makes you generate your own seed, which has resulted in lots of people using web-based generators that then steal your money. This is a really bad idea and it’s not that hard to read from /dev/urandom and then say “here write this thing down.”

                                              So I wouldn’t really trust them to have done stuff correctly, including Proof of Stake. Obviously that doesn’t mean it can’t be done or even that they haven’t done it - just that I would like to see a lot of scrutiny from experts.

                                              1. 2

                                                So I wouldn’t really trust them to have done stuff correctly, including Proof of Stake.

                                                The point is you don’t have to, they have proofs.

                                        1. 3

                                          By this logic, nothing ever would have had to have been invented. At least if you carry it through to the end, it the way stated, not the way it was intended.

                                          1. 12

                                            This particular line of refutation and critique is probably the most common refrain I hear when this sort of article or sentiment is brought up. It’s also wrong–note the “maybe” in the post title.

                                            Let’s not flatter ourselves: yet another “HTML DOM but with better syntax”, “jQuery but with cleaner syntax”, “HTML DOM but with databinding”, “Angular but with smarter data-binding this time”, “Angular but with version-breaking and typescript”, “HTML DOM but with better diffing”, “React but artisinal”, “React but artisinal but also angular”, is hardly invention in the sense you probably mean it.

                                            1. 10

                                              Our use of common tools has forced us into fixing the things that bother us about them, instead of developing truly new ways of solving our problems. The common solutions don’t make us think, and destroy our ability to think outside the box.

                                              What would software be like if the free software movement never happened? Instead of “buying” loose fitting uniforms, I bet we’d all be excellent fabric makers, and tailors of original clothes that fit just right.

                                              1. 3

                                                And worse, now that we have too many tools to ever fix any of them, there is actually an entire generation of “developers” who simply have no capacity to write quality, durable code.

                                                What would software be like if the free software movement never happened? Instead of “buying” loose fitting uniforms, I bet we’d all be excellent fabric makers, and tailors of original clothes that fit just right.

                                                Some of us anyway.

                                                But unlike good clothing, most people cannot “see” code, so very few people appraise it’s quality – A lot of people actually think they’re paying for code, that somehow more code is more valuable.

                                                Weird.

                                                I actually welcome legislation that puts programmers and business on the hook legally (with proper teeth, like the GDPR promises to have) for their work, because I would like to always do good work, but I know I can’t do that while being competitive.

                                                1. 3

                                                  And worse, now that we have too many tools to ever fix any of them, there is actually an entire generation of “developers” who simply have no capacity to write quality, durable code.

                                                  This isn’t any different from how it used to be. For as long as we’ve had computers we’ve had people worried about developers writing bad, brittle code. The usual solution? High quality, well tested components we know are good, so that developers have fewer places to screw up.

                                                  Not having to roll our own crypto is, on the whole, a good thing.

                                                  1. 1

                                                    And worse, now that we have too many tools to ever fix any of them, there is actually an entire generation of “developers” who simply have no capacity to write quality, durable code.

                                                    You sound old and grumpy, it’s gonna be alright. I’ve seen old people and young generation alike write shitty (and good) code. At least by reusing existing components people might have an easier time to build systems or complex program relying on widely used and tested pattern.

                                                    I actually welcome legislation that puts programmers and business on the hook legally (with proper teeth, like the GDPR promises to have) for their work

                                                    How would such legislation going to encourage individuals from taking risk and rewrite their own components instead of reusing existing more tested and widely used ones?

                                                    because I would like to always do good work, but I know I can’t do that while being competitive.

                                                    If you need legislation to be able to market your good work, “maybe it’s you”.

                                                    1. 1

                                                      That probably results in more money for insurance companies but not better software.

                                                      1. 4

                                                        I’m confident if we are planning more, writing better specs, coding more carefully, focusing on reducing code size, and doing more user-testing, then software will be better.

                                                        And there may always be a gap: As we learn where it is, we can probably refine those fines…

                                                    2. 3

                                                      What if I don’t want to be a tailor, though? I want to be a welder, but I can’t, because I spend all my time tailoring!

                                                      Component programming has, historically, been the hoped-for solution to the software crisis. Parnas made that a central advantage of his work on modules, high-correctness software is predicated on using verified components, etc etc. It might not have lived to it’s standards, but it’s a lot better than where we used to be.

                                                      Consider the problems you want to think about, and then consider how hard it would be to solve then if you had to write your own compiler.

                                                      1. 2

                                                        It might not have lived to it’s standards, but it’s a lot better than where we used to be.

                                                        Hmm. Can you elaborate on why it’s better? I feel that in a lot of ways it’s worse!

                                                        Consider the problems you want to think about, and then consider how hard it would be to solve then if you had to write your own compiler.

                                                        We’ve trained ourselves to make a base set of assumptions about what a computer is, and has to be. A C compiler is just a commodity tool, these days. But, obviously, people have invented their own languages, and their own compilers.

                                                        But, consider a very basic computer, and forth. Forth is simple enough that you can write very big functioning systems, in a small amount of code. Consider the VPRI Steps project that’s been attempting to build an entire computing system in a fraction of the code modern systems take. What would things look like, then?

                                                        1. 1

                                                          Hmm. Can you elaborate on why it’s better? I feel that in a lot of ways it’s worse!

                                                          The most popular Python time library, Arrow, is 2000+ lines of core code and another 2000+ lines of localization code. If you tried to roll your own timezone library you absolutely will make mistakes that will bite you down the line, but Arrow is battle-tested and, to everybody’s knowledge, correct.

                                                          Consider the VPRI Steps project that’s been attempting to build an entire computing system in a fraction of the code modern systems take. What would things look like, then?

                                                          That report lists 17 personnel and was funded by a 5 million dollar grant. I don’t have that kind of resources.

                                                          1. 2

                                                            When was the last time you wrote code that required accurate timezones (UTC is almost always OK for what I do)? And, to be honest, 4,000 lines doesn’t seem like enough to be exhaustive here…

                                                            But, I don’t disagree that there are exceptional things that we should all share.

                                                            Just that, in the current state of things, relying on an external library responsibly, requires a deep understanding of it to use it properly. You can’t rely on documentation—it’s incomplete. You can’t rely on its tests—they don’t exhaustively prove it works. You can’t trust the names of functions—they lie, or at least have ambiguity. And, more often than not, you care about only a small percentage of the functionality, anyway.

                                                            That report lists 17 personnel and was funded by a 5 million dollar grant. I don’t have that kind of resources.

                                                            The point wasn’t “we should all go define 2,000 line systems that do everything.” It was, apparantly poorly, attempting to point out that there may have been another way to “compute,” that would have made rolling everything yourself more appropriate. I think it’d be pretty hard to go back to a place where that’s true—the market has spoken, and it’s OK with bloated, completely broken software that forces them to upgrade their computers every 3 years just to share photos in a web browser and send plain text email to their familes.

                                                            1. 1

                                                              When was the last time you wrote code that required accurate timezones (UTC is almost always OK for what I do)? And, to be honest, 4,000 lines doesn’t seem like enough to be exhaustive here…

                                                              Maybe not timezones, but definitely https, authentication libraries, web scrapers, crypto, unit testing frameworks, standard library stuff…

                                                              I think it’d be pretty hard to go back to a place where that’s true—the market has spoken, and it’s OK with bloated, completely broken software that forces them to upgrade their computers every 3 years just to share photos in a web browser and send plain text email to their familes.

                                                              Right, but I’m asking historically if this was caused by the rise of component-based programming, as opposed to just being correlated with it, or even if it happened despite it! It’s really hard to prove a counterfactual.

                                                    3. 0

                                                      So… do you not believe in evolution, then?

                                                      1. 1

                                                        Thb, when I read “maybe it’s you”, I understand this as a stylistic device, and don’t read it literally. And I guess it depends on the situation, I totally agree with you than 99% of the “new” stuff invented for the web have no need to be created (which one could generalized to the whole economy if one would want to). I just want to say that there are situations where being open to new ideas wouldn’t be bad, because sometimes bad ideas are kept just because of a network effect.

                                                        And if we’re already talking about what exactly was written (I should have clarified this, so it’s my fault), i was talking about the title. I know the text says something different, that’s why I said “not the way it was intended”.

                                                        1. 2

                                                          Author here. Thank you for your feedback! You’re right: the title may be construed as an accusative. For the record: it is not. I’ll take better care with such things going forward!

                                                    1. 1

                                                      Cierge utilises reCAPTCHA to ensure magic codes (which expire quickly) are not brute-forceable.

                                                      Is there server side account-based throttling or locking? Relying exclusively on reCAPTCHA means that anyone bypassing it will be able to easily bruteforce the small magic code.

                                                      1. 1

                                                        Bypassing reCAPTCHA doesn’t sound easy. Your first link mentions, at the end of the post, that it doesn’t work anymore. And the second link is based on humans solving reCAPTCHA with an average response time of 10s, which is way too long to brute force. Am I missing something? Anyway, with or without reCAPTCHA, throttling is a must have.

                                                        1. 1

                                                          My point with the first 2 links is to show that every once in a while someone find some way to bypass reCAPTCHA. reCAPTCHA is not provably secure, it’s just security through through a bunch of heuristic. The last link show how with a few bucks you can solves many thousands of reCAPTCHA. 10s might look slow, but you can do them concurrently and if there’s no throttling, the attacker has as many tries as he wants, so he’s bound to win sooner or later.

                                                      1. 25

                                                        Spectre PoC: https://gist.github.com/ErikAugust/724d4a969fb2c6ae1bbd7b2a9e3d4bb6 (I had to inline one #DEF, but otherwise works)

                                                        1. 5

                                                          I’ve tested it with some success on FreeBSD/HardenedBSD on an Intel Xeon. It works on bare metal, but doesn’t work in bhyve.

                                                          1. 4

                                                            oh god that runs quickly. terrifying.

                                                            1. 3
                                                              $ ./spectre
                                                              Reading 40 bytes:
                                                              Illegal instruction (core dumped)
                                                              

                                                              That was kinda disappointing. (OpenBSD on Hyper-V here.)

                                                              1. 10

                                                                It worked for me on OpenBSD running on real hardware.

                                                                1. 1

                                                                  That was kinda disappointing. (OpenBSD on Hyper-V here.)

                                                                  perhaps it was the cache flush intrinsic.

                                                                2. 2

                                                                  I’m impressed how easy it is to run this PoC - even for somebody who didn’t do C programming for years. Just one file, correct the line

                                                                  #define CACHE_HIT_THRESHOLD(80)

                                                                  to

                                                                  #define CACHE_HIT_THRESHOLD 80

                                                                  then compile: gcc -O0 -o spectre spectre.c

                                                                  run:

                                                                  ./spectre

                                                                  and look for lines with “Success: “.

                                                                  I am wondering if there is some PoC for JavaScript in the Browser - single HTML page with no dependencies containing everything to show the vulnerability?

                                                                  1. 2

                                                                    I’ve been playing quickly with the PoC. It seems to work just fine on memory with PROT_WRITE only, but doesn’t work on memory protected with PROT_NONE. (At least on my CPU)

                                                                  1. 1

                                                                    As someone else below said, you can just always return “password is incorrect” regardless of whether the user exists. The key is not to vary the message based on whether the user ID entered exists or not.

                                                                    The “ways to deduce a username” are also quite specific and only work because logins are username based not email based AND because GitHub profiles are public.

                                                                    But hey, I guess “suggested method X doesn’t work quite as expected in situations Y and Z” isn’t as catchy as “X is bullshit” now is it?

                                                                    1. 1

                                                                      Have you read the article? “password is incorrect” doesn’t change anything. You could remove the error message and it wouldn’t change anything. The point to the article is that whatever you try to do, you can simply go to the sign up page and check if you can create an account under a given username or email and check the result. It is not specific to wether you use email, username or github profiles.

                                                                      1. 3

                                                                        Login page and signup page are two separate things where we have the same goal: don’t leak existence of user accounts.

                                                                        On the login screen, returing the same error message all the time achieves this.

                                                                        On the signup screen, the solution is simple: make usernames display only (ie not used for login) and dont show “already registered” errors for email.

                                                                    1. 14

                                                                      A logo vulnerability for a local exploit without privsec for a software with a small market share, running on a system with an even smaller market share. I’m always interested about writeups, but I doubt the landing/marketing page was required.

                                                                      1. 14

                                                                        Yes but think about context: they’re working with GIMP. 😜

                                                                        1. 1

                                                                          I think I’m missing the joke here.

                                                                          1. 3

                                                                            I think the joke is that since the vulnerability is in an image editor, that of course they had to make a logo for the vulnerability using the image editor.

                                                                        2. 5

                                                                          I think being picky about the distinction between “logo deserving vuln” and “just a CSVCVE [1]” is silly, because whatever we were doing before to communicate security issues and get end users to pay attention wasn’t working at all. I don’t know if this is better, but at least it’s different.

                                                                          [1]: I am currently working on a CSV issue… blah

                                                                          1. 4

                                                                            Its worth noting that the page says that no one from the Gimp team seems to take them seriously. The publicity that this site will get might help that change.

                                                                            1. 1

                                                                              Did you see what @hanno responded to this on twitter?

                                                                              There were some comments criticizing me for making such a buzz about FLIMP. But one day later we have default HTTPS downloads for GIMP and people start working on merging patches & fixing stuff. It worked.

                                                                            1. 17

                                                                              If only json had allowed trailing commas in lists and maps.

                                                                              1. 9

                                                                                And /* comments! */

                                                                                1. 3

                                                                                  And 0x... hex notation…

                                                                                  1. 3

                                                                                    Please no. If you want structured configs, use yaml. JSON is not supposed to contain junk, it’s a wire format.

                                                                                    1. 4

                                                                                      But YAML is an incredibly complex and truth be told, rather surprising format. Every time I get it, I convert it to JSON and go on with my life. The tooling and support for JSON is a lot better, I think YAMLs place is on the sidelines of history.

                                                                                      1. 4

                                                                                        it’s a wire format

                                                                                        If it’s a wire format not designed to be easily read by humans, why use a textual representation instead of binary?

                                                                                        If it’s a wire format designed to be easily read by humans, why not add convenience for said humans?

                                                                                        1. 1

                                                                                          Things don’t have to be black and white, and they don’t even have to be specifically designed to be something. I can’t know what Douglas Crockford was thinking when he proposed JSON, but the fact is that since then it did become popular as a data interchange format. It means it was good enough and better than the alternatives at the time. And is still has its niche despite a wide choice of alternatives along the spectrum.

                                                                                          What I’m saying is that adding comments is not essential a sure-fire way to make it better. It’s a trade-off, with a glaring disadvantage of being backwards incompatible. Which warrants my “please no”.

                                                                                      2. 1

                                                                                        http://hjson.org/ is handy for human-edited config files.

                                                                                        1. 1
                                                                                        2. 5

                                                                                          The solutions exist!

                                                                                          https://github.com/json5/json5

                                                                                          I don’t know why it’s not more popular, especially among go people.

                                                                                          There is also http://json-schema.org/

                                                                                          1. 3

                                                                                            I had to do a bunch of message validation in a node.js app a while ago. Although as Tim Bray says the spec’s pretty impenetrable and the various libraries inconsistent, once I’d got my head round JSON Schema and settled on ajv as a validator, it really helped out. Super easy to dynamically generate per message-type handler functions from the schema.

                                                                                            1. 2

                                                                                              One rather serious problem with json5 is its lack of unicode.

                                                                                            2. 3

                                                                                              I think this only show that JSON has chosen tradeoff that make it more geared to be edited by software, but has the advantage of being human editable/readable for debugging. JSON as config is not appropriate. There is so many more appropriate format (toml, yaml or even ini come to mind), why would you pick the one that doesn’t allows comments and nice sugar such as trailing commas or multiline string. I like how kubernetes does use YAML as its configuration files, but seems to work internally with JSON.

                                                                                              1. 8

                                                                                                IMO YAML is not human-friendly, being whitespace-sensitive. TOML isn’t great for nesting entries.

                                                                                                Sad that JSON made an effort to be human-friendly but missed that last 5% that everyone wants. Now we have a dozen JSON supersets which add varying levels of complexity on top.

                                                                                                1. 11

                                                                                                  “anything whitespace sensitive is not human friendly” is a pretty dubious claim

                                                                                                  1. 5

                                                                                                    Solution: XML.

                                                                                                    Not even being ironic here. It has everything you’d want.

                                                                                                    1. 5

                                                                                                      And a metric ton of stuff you do not want! (Not to mention…what humans find XML friendly?)

                                                                                                      This endless cycle of reinvention of S-expressions with slightly different syntax depresses me. (And yeah, I did it too.)

                                                                                                      1. -5

                                                                                                        Triggered.

                                                                                                        1. 13

                                                                                                          Keep this shit off lobsters.

                                                                                                1. 2

                                                                                                  That we are “software engineers”, despite not knowing or having a repeatable process or methodology that results in the successful delivery of a large team - complex project, on-time, on-budget and to some specification.

                                                                                                  1. 2

                                                                                                    There are attempts at doing the “Engineering” part of Software Engineer. But when talking and/or working with people (Lobsters included), the common conception is that they are only dull document used by manager to slow down or drive insane the smart developpers.

                                                                                                    Ref: https://www.computer.org/web/swebok and many ISOs.

                                                                                                    1. 1

                                                                                                      That’s usually true with how programming is done. There are those doing engineering of software. I linked to three here:

                                                                                                      https://news.ycombinator.com/item?id=15886317

                                                                                                      Example I just found for industrial application of formal simulation and verification of a plant’s operation:

                                                                                                      http://vigir.missouri.edu/~gdesouza/Research/Conference_CDs/IFAC_ICINCO_2007/ICINCO%202007/Area%203%20-%20Signal%20Processing,%20Systems%20Modeling%20and%20Control/Short%20Papers/C3_629_Seabra.pdf

                                                                                                      EDIT: The only thing I can’t tell them in engineering with any confidence is time and budget. Software is too non-linear for that if the team is doing arbitrary work. Might be more accurate at estimating stuff similar to past work.

                                                                                                    1. 3

                                                                                                      I feel the malware/login explanations are much less likely because it looks like code attempting to ‘hide in plain sight’ to me. You wouldn’t need to use Sha256(address) or block hash or txid or merkleroot if you were malware or an unauthorized login. You would at least salt or obscure the key with some bit of knowledge only you know so that only you could derive the private key (as mentioned earlier).

                                                                                                      The author would be surprised at how many malwares are coded by script kiddies and how the ‘hide in plain sight’ is a common occurence.

                                                                                                      1. 12

                                                                                                        As a Linux user, I don’t really care, because I’ve lived with the knowledge that my screen locker (whatever the local DE’s substitute for xscreensaver is) has been totally busted(*) for years without it really bothering me.

                                                                                                        (* by which I mean, multiple times it has manifested security vulns wherein mashing randomly on the keyboard for a bit would crash the screen locker and unlock the screen)

                                                                                                        Something something if you have access to the hardware you can just futz with it anyway.

                                                                                                        1. 5

                                                                                                          Something something if you have access to the hardware you can just futz with it anyway.

                                                                                                          A critical difference here is that “you can futz with the harder” is something you’d need at least some knowledge and some equipment to do, not necessarily much of each, but you need to know what you’re doing.

                                                                                                          You can fit the instructions for this exploit in a single tweet.

                                                                                                          1. 2

                                                                                                            Very much this, but:

                                                                                                            You can fit the instructions for this exploit in a single tweet.

                                                                                                            That has also been the case for many other exploits of that kind, independent of operating system, with or without a graphical shell.

                                                                                                            Screen locking seems to be a surprisingly nasty problem, even all smartphone platforms have had similar issues.

                                                                                                          2. 4

                                                                                                            This one is accessible remotely.

                                                                                                            1. 3

                                                                                                              Oh, it is? The exploit described here sounds like you need local access. This is interesting.

                                                                                                              Is it exploitable via RDP or VNC or something if you have screen sharing turned on, and if so do you need to log in as an ordinary user account first?

                                                                                                              1. 3

                                                                                                                Screen sharing is indeed the remote exploit vector, [1] [2]. You don’t need to log in as an ordinary user account first.

                                                                                                                1. 3

                                                                                                                  Does Remote Login allow SSH’ing in as root? I’m not familiar with the default macOS config.

                                                                                                                  1. 2

                                                                                                                    I don’t know, but you could enable it pretty trivially.

                                                                                                                    1. 1

                                                                                                                      I did try after enabling SSH to “All Users” and it didn’t allow me to log in as root.

                                                                                                                    2. 2

                                                                                                                      Thank you for elaborating. Yeah that’s genuinely scary. Good reason to leave screen sharing turned off I guess. :x

                                                                                                                2. 3

                                                                                                                  Another reason to consider a Wayland composer? I’ve got Wayland and Weston with xwayland comparability running on my media PC right now. Seems to work pretty well.

                                                                                                                  1. 2

                                                                                                                    Yeah I’m hoping Wayland fixes this properly by using a protocol for screen locking that is not intrinsically silly like X11’s is. I assume it does (why would Wayland devs bother to copy such an obvious misfeature of X11?), but I haven’t checked.

                                                                                                                  2. 1

                                                                                                                    You’re perhaps referring to gnome-screensaver https://www.jwz.org/blog/2015/04/i-told-you-so-again/ ?

                                                                                                                    How is light-locker’s track-record? KDE’s thing?

                                                                                                                    I still use xscreensaver on Xubuntu 17.10. I have a feeling jwz has a better track-record than all of the above, but it’s probably not perfect either …

                                                                                                                    1. 3

                                                                                                                      Yes. I don’t know about the others’ record but I’d be surprised if it was perfect. xscreensaver can’t do a perfect job here either because it, like any process, could be arbitrarily killed by something like an OOM killer or a hardware bug causing SIGBUS to be emitted in it.

                                                                                                                      The underlying problem is that X11’s protocol for screen lockers is silly: the screen unlocks when the locker quits for any reason at all. jwz asserts that gnome-screensaver ought to take more care about crash proofing in light of that, which I can’t dispute. Solving the root problem is going to be much more robust anyway though.

                                                                                                                      The 2004 article on this is much better BTW: https://www.jwz.org/xscreensaver/toolkits.html

                                                                                                                  1. 1

                                                                                                                    Nice. Fuzzing against arbitrary binary code is nothing new. But instrumented, guided fuzzing with AFL for binary code is a pretty big deal.

                                                                                                                    This blog post is the first time I’ve heard of unicorn though, what’s the performance overhead of running a binary in unicorn?

                                                                                                                    1. 2

                                                                                                                      I did a few (now outdated) benchmark of some emulation engines a few years ago and unicorn was already quite fast: https://github.com/isra17/emu_test . I should do it again and include native speeds. Unicorn is using QEMU behind the scene so I would guess AFL performance would be similar.

                                                                                                                    1. 4

                                                                                                                      Interestingly, the author of Capstone and Unicorn seems to be working on it’s own AFL guided fuzzer: https://twitter.com/capstone_engine/status/925327798566129664 .

                                                                                                                      1. 1

                                                                                                                        Is Cloudflare really spawning a new OS thread for every connection? That seems incredibly heavyweight. Green threads are vastly lighter, and any good runtime (Haskell/Go/Erlang) will intelligently and dynamically distribute green threads across physical cores as needed (usually much faster than is possible with OS threads), as well as use an efficient epoll-like mechanism under the hood, which eliminates a lot of these considerations. Obviously they’ve thought about it, so if any CF people are here I’d love to hear the practical considerations involved.

                                                                                                                        My guess is that it doesn’t even make sense to use SO_REUSEPORT if your listener thread can fork quickly enough. I’ll do a benchmark when I get home.

                                                                                                                        Edit: Looks like I can do about 10,000 per second of fork/socket/connect/send “a”/recv(1) on the client and socket/bind/listen/(accept/fork/recv/send loop) on the server on my 1-physical-core 1.1GHz MacBook over localhost with Haskell’s stdlib networking stack. No optimizations, just doing whatever seems most obvious.

                                                                                                                        1. 1

                                                                                                                          Is Cloudflare really spawning a new OS thread for every connection? That seems incredibly heavyweight

                                                                                                                          Goroutines seem to be around 0.5us to spawn (http://remogatto.github.io/go-benchmarks/) I don’t have modern benchmarks, but Linux pthreads from 2003, running on 2003 vintage hardware, took 20us per thread (https://lwn.net/Articles/10741/). Assuming a conservative 10% hardware speedup per year, that puts them at 6us per.

                                                                                                                          The numbers above are, of course, highly suspect fermi calculations, and should be taken with a sack of salt, but it doesn’t seem insane to spawn lots of threads.

                                                                                                                          Maybe one day I will look at doing some better benchmarks.

                                                                                                                          1. 1

                                                                                                                            I don’t see where you see the OS thread per connection. The code snippets and explanations spawn a defined amount of worker processes that listen to the same port. There’s a few fork at startup and then each process are ready to handle one connection at a time.

                                                                                                                          1. 7

                                                                                                                            I found this note about OpenBSD issuing a silent patch ahead of the embargo date somewhat amusing:

                                                                                                                            To avoid this problem in the future, OpenBSD will now receive vulnerability notifications closer to the end of an embargo.

                                                                                                                            1. 29

                                                                                                                              No worries. We will likely still patch on time of public announcement anyway. We just cannot patch problems we don’t know about yet.

                                                                                                                              What happened is that he told me on July 15, and gave a 6 weeks embargo until end of August. We already complained back then that this was way too long and leaving people exposed.

                                                                                                                              Then he got CERT (and, thus, US gov agencies) involved and had to extend the embargo even further until today. At that point we already had the ball rolling and decided to stick to the original agreement with him, and he gave us an agreeing nod towards that as well.

                                                                                                                              In this situation, a request for keeping the problem and fix secret is a request to leave our users at risk and exposed to insiders who will potentially use the bug to exploit our users. And we have no idea who the other insiders are. We have to assume that information of this kind leaks and dissipates pretty fast in the security “community”.

                                                                                                                              We chose to serve the needs of our users who are the vulnerable people in this drama. I stand by that choice.

                                                                                                                              1. 11

                                                                                                                                And, by the way, here is another part of the original patch, which we didn’t release until today: http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/sys/net80211/ieee80211_pae_input.c.diff?r1=1.30&r2=1.31

                                                                                                                                1. 1

                                                                                                                                  What is the rationale on extending the embargo so long? To give vendors a chance to patch? It seems like once people in the know know about a vulnerability, the shorter an embargo time the better.

                                                                                                                                  1. 10

                                                                                                                                    There’s a couple of different interests at play.

                                                                                                                                    For instance:

                                                                                                                                    Researchers want to make a timed media splash.

                                                                                                                                    Security agencies want to evaluate the problem and make sure they get patched before anyone else.

                                                                                                                                    Vendors want time to prepare patches, yes, but that alone does not justify such a long delay.

                                                                                                                                    Reviewing the patch, testing it, and preparing it for commit and publishing erratas took only a couple of hours of my free time.

                                                                                                                                    1. 3

                                                                                                                                      From July 15 to today is about 90 days which is far from unreasonable for co-ordinated disclosure. Project Zero use a 90 days + 2 week for patch release in their policy.

                                                                                                                                      1. 1

                                                                                                                                        Which still doesn’t sound nice, though. Over three months of hoping that nobody who was informed and has any malicious intent and that nobody rediscovers it and nobody that might have discovered it earlier.

                                                                                                                                        Now while WPA2 will in most cases require you to be physically close to exploit a lot of remote vulnerabilities mean that anyone hearing about it has over three months to scan the whole internet. And that’s a process that might take just some hours with tools like zmap.

                                                                                                                                        For stuff like finance, healthcare, etc. 3 months of “free access” seem everything but reasonable, regardless of what any project does.

                                                                                                                                        Coordination is a good thing. Maybe however making this processes faster is a good idea. Currently people are assuming that all insiders (known or unknown) have just the best intents. This feels very unreasonable. As an entity intending to exploit vulnerabilities this is probably one of the first circles I’d want to get into.

                                                                                                                                        I am not an OpenBSD user, but I think stsp/the OpenBSD project didn’t do anything wrong, by sticking to an original deadline, as well as considering the deadline as too long. At least for said vulnerability. It should be a per-case decision though, since routers aren’t browsers that you nowadays can just kick out updates for.

                                                                                                                                  2. 3

                                                                                                                                    Thanks to you and yours for putting users first.

                                                                                                                                    1. 1

                                                                                                                                      FWIW, I think you made the right choice. Appreciate the integrity and concern for users overriding the institutional politics.

                                                                                                                                      1. 5

                                                                                                                                        On the other hand this kind of behaviour tend to reduce trust with security researcher. They should not complain once they get notified last for the next critical security disclosure. Unless someone has proof this was exploited in the wild, patching a security bug involving many stakeholder might put your users first, but put all the other system’s users at risk.

                                                                                                                                        1. 6

                                                                                                                                          involving many stakeholder

                                                                                                                                          How can anyone be certain that all of these many stakeholders are trustworthy and won’t abuse the secret information they have?

                                                                                                                                          1. 3

                                                                                                                                            How can anyone be certain that all of these many stakeholders are trustworthy

                                                                                                                                            You don’t, but the call is not yours to make. If they see them as not trustworthy, it’s the security researchers to chose notify those stakeholder closer to the end of the embargo.

                                                                                                                                            Find your own bug and choose to go full disclosure if you want to, but OpenBSD have no part in finding this security issue, they were trusted by someone else to hold on a patch (for 90 days FFS). By acting the way they did they only showed that they could not be trusted with this privileged information.

                                                                                                                                            1. 4

                                                                                                                                              It’s easy for you to say that, not having been in a situation where you had to actually make that choice yourself.

                                                                                                                                              It seems you would trust the NSA/CIA to not abuse a bug like this? I wouldn’t.

                                                                                                                                              Edit: Also, let me reiterate that: WE WERE GIVEN PERMISSION BY MATHY TO DO THIS.

                                                                                                                                              1. 2

                                                                                                                                                Yeah, it seems weird of Mathy to give permission to release early, then punish (not notify as soon as others) anyway. What the hell?!

                                                                                                                                  1. 7

                                                                                                                                    Linking a JSON file might not be the best medium to share.

                                                                                                                                    1. 3

                                                                                                                                      You must be trying to look at this on mobile. It’s linked to a Jupyter notebook which renders on desktop in the GitHub UI.

                                                                                                                                      1. 1

                                                                                                                                        Ha that’s right!

                                                                                                                                    1. 17

                                                                                                                                      Denial of service seems like a better description than privilege escalation. In the taxonomy of bad stuff, the latter usually implies getting to do something more interesting than halt.

                                                                                                                                      1. 4

                                                                                                                                        the fact that we found this accidentally and that the behavior is exactly what you’d expect if there were no permissions check for the kill call at all leads us to believe that there is likely more that can be done to exploit this issue

                                                                                                                                        There’s nothing found yet, but it does give cause for some concern that the means of denying service is what appears to be escalation.

                                                                                                                                        1. 4

                                                                                                                                          I was part of the team helping Shea to research and disclose the issue. One key finding was in the logs we saw <unprivileged user> killed <privileged process>, indicating that we hadn’t tripped just a crashing bug, but actually escalated beyond the normal access control protections of kill.

                                                                                                                                          1. 9

                                                                                                                                            Privilege escalation is when you increase the abilities of the attack code to do what a higher-privileged account or process can do in arbitrary ways. This includes opening, modifying, and/or destroying resources. Merely terminating a resource is a Denial of Service (DOS) attack on that resource. The title is wrong.

                                                                                                                                            1. 3

                                                                                                                                              Using Privilege Escalation instead of DoS in the title is still misleading. Most people assume that something marketed as Privilege Escalation lead to at the very least reading or writing resource owned by root. I can already kill privileged process by running shutdown (I know that’s not the point, but killing ALL system’s process is still far from running code as root).

                                                                                                                                          1. 7

                                                                                                                                            Flagging as OT. There’s no technical content in there, nor interesting details about why blockchain is an innovative approach for this use case. At best, it’s tech buzz, at worse useless marketing in my Lobsters.

                                                                                                                                            1. 2

                                                                                                                                              Work

                                                                                                                                              Started a business a month ago, today deploying a distributed system to crawl some stuff. Distributed crawling have been slightly more complicated than I though, especially since the tools (Scrapy and especially Frontera) appears to be less mature than expected. At least I’ve been able to do a few contribution in the process!

                                                                                                                                              Not Work

                                                                                                                                              Once I’m done deploying, I’m finishing up my workshop for Northsec this week. I feel like 3 hours will be quite a challenge to walk people through scripting exploitation without much background in exploitation. First time doing this, so hopefully will be able to learn a few thing myself and make the workshop better for potentially future conferences/training. After the conferences there’s a 48 hours on-site security CTF where we place first last year. Mix all this with speaker/conference/CTF parties on each evening, it’s going to be a long long week…

                                                                                                                                              1. 10

                                                                                                                                                So I guess this security researcher is gonna get hit by the mob, nice job journalists.

                                                                                                                                                1. 3

                                                                                                                                                  To be fair it’s not as if it was the only security researcher the mob knows about. Why would the mob hit someone who just happened to shut down their malware by chance? There’s many researchers that can be easily found and that are known to actively work and track on malware families. There’s even some that are known to shut down botnet from conference…

                                                                                                                                                  Don’t get me wrong, the press doxxing people is stupid, but saying the guy is now in danger because of this is rather naive.

                                                                                                                                                  1. 8

                                                                                                                                                    He may not be in immediate danger, but his doxx are irreversibly out there. Nothing says he won’t become more interesting to dangerous people in the future.

                                                                                                                                                    1. 6

                                                                                                                                                      Exactly, and the fact is we simply don’t know if he’s in danger right now. He really might be, and if he does get a nasty visit, then it really would be on the journalists, who outed him purely for their own ends. Totally irresponsible and selfish. Sure, if they found him then sufficiently motivated bad actors could too, but the point is, the journalists did it for them, for free.

                                                                                                                                                      I saw a piece earlier which just said “he lives in Cornwall and works for a security company” and thought even that was irresponsible, given the extent of the potential nastiness of people who carry out organised crimes. But putting the guy’s name out there? Really? Out of control.

                                                                                                                                                      1. 2

                                                                                                                                                        The data was already irreversibly out there. Someone just brought it together. Do you believe that “the mob” doesn’t have the resources to do the same if it wants to? Only, probably in a way that would give him less warning.

                                                                                                                                                        1. 3

                                                                                                                                                          That’s addressed in the piece - the researcher says he always assumed it would be some criminal who tracked him down. But instead, it was a journalist who got there first. Probably because they’re specifically trained to do this kind of investigation, don’t you think?

                                                                                                                                                    2. 2

                                                                                                                                                      I don’t think it’s legitimate to blame the journalist for other people’s criminal actions.

                                                                                                                                                      If the mob cares enough to harm this guy, then they were certainly looking for him already, and if the journalist could find him, then so could the mob.

                                                                                                                                                      Second, the logical extreme of your position is that everybody should censor themselves because information may be used by criminals, which I don’t agree with.