1. 9

    I’ve noticed the same issue with Electron apps on my low RAM devices. Anything with 4GB or less of RAM doesn’t allow you to run more than 2 instances of the programs, without chugging into swap space or worse, oom-killing.

    Particularly worrying is most of my messaging apps are exactly like that: Riot/Element, FB Messenger, WhatsApp, Telegram (this last one is actually pretty optimized and doesn’t eat too much). Long gone are the days where an XMPP bridge would solve the issue, as most of the content is now images, audio messages, animated GIFs, emojis and other rich content.

    Thanks for the article, at least I know that i can replace one of the culprits with a daemonized, non-Electron app and just use the phone as a remote control.

    1. 9

      As far as I am aware, Telegram is not Electron, it is actually a Qt based app.

      1. 7

        Long gone are the days where an XMPP bridge would solve the issue, as most of the content is now images, audio messages, animated GIFs, emojis and other rich content.

        I’m not sure what you mean. Most XMPP clients today (like Conversations, Dino, etc.) gracefully handle all of the items you mentioned, and with much less resources than a full web browser would require. I definitely recommend XMPP bridges when possible where the only alternative is an “app” that is really a full web browser.

        1. 4

          Of those listed, I think Riot will maybe disappear at some point. Riot has (amazingly) managed to have native desktop clients pop up, Quarternion, gomatrix and nheko are all packaged for my Linux distribution.

          1. 3

            I understand the desire to use something browser-ish and cross-platform. I don’t fully understand why Electron (hundreds of mb footprint) is so popular over Sciter (5mb footprint).

            1. 1

              Electron is fully free, Sciter is closed-source with a Kickstarter campaign in progress to open-source it.

              For the large companies, the price of something like Sciter should be a non-issue. If I were reviewing a proposal to use it, though, I’d be asking about security review and liability: HTML/CSS/JS have proven to be hard to get secure, Electron leverages the sugar-daddy of Google maintaining Chrome with security fixes, what is the situation with Sciter like?

              Ideally, the internal review would go “okay, but if we only connect to our servers, and we make sure we’re not messing up TLS/HTTPS, then the only attack model is around user-data from other users being rendered in these contexts, and we have to have corner-case testing there no matter which engine we use, to make sure there are no leaks, so this is all manageable”. But I can see that “manageable” might not be enough to overcome the initial knee-jerk reactions.

            2. 2

              Long gone are the days where an XMPP bridge would solve the issue

              I use Dino on desktop to replace the bloated Discord & WhatsApp clients, and it works fine (with inline images, file sharing, etc working too).

              Disclaimer: I did, however, write the WhatsApp bridge :p

              1. 1

                Isn’t the reason that XMPP isn’t useful more to do with these services wanting to maintain walled gardens? And further, isn’t that a result of the incentives in a world of “free” services?

              1. 1

                I’ve read so many k8s articles in the past years that I feel like I almost have intimate knowledge of this piece of software, even though I have not used it productively before. It’s obviously pretty strong at allowing applications to scale up whenever in high demand.

                Kubernetes will automatically manage your resources for you. If configured correctly, it can survive even if a “node”, or a server in the cluster, becomes unaccessible, with no input required from the user. Kubernetes through some service providers can scale up workloads to massive amounts temporarily, which can be incredibly useful if your service becomes very popular and you suddenly gain a lot of traffic. Running a Kubernetes system means you can reduce your downtime to an insanely small level, and increase your computational capacity to an insanely large level. While this may not seem useful up front, you may consider it essential down the line.

                Are there persons here who have designed and deployed applications on k8s for non-enterprise use, and have actually gotten to make use of the most important features of k8s: prevented downtime and scaling up (due to high increases in traffic/capacity)? I’m talking here about blogs, web services, apps, mobile apps, mostly deployed and maintained by a single developer.

                1. 4

                  I have been working on Kubernetes for my company for about two years. It’s had a lot of benefits for our use cases, but I would never use it for a one-developer project. It’s simply not worth it – the things it solves for you aren’t going to be problems you have. I’d even say things like downtime and scaling up aren’t as big a deal at that level of functionality; I’d think that it’s often better for a blog to fall over than to scale at the level that some of the apps I work on scale, simply due to cost. (Are you okay with paying $900 for one day’s traffic spike?) Some of the things that it does don’t even make sense if you’re not working in a particular type of environment.

                  1. 3

                    As a sole developer, you have near-zero communications overhead; you can just remember / write down the state of play, and everyone who has to maintain it will automatically know. You never (eg) accidentally try to run two deploys at the same time, even if you don’t implement a mutex around your deploy process. Implementing k8s can consume all of your team-of-ones output for weeks.

                    Adding kubernetes (or similar kinds of complex system) can be fantastic for big teams. Having a single source of truth RE the status of the app is a tremendous advantage. It only takes a small fraction of the teams output to implement. The cost/benefit is totally different.

                  1. 4

                    How are things like this not already a problem for other lithium-battery-powered devices like, say, the Pinebook Pro?

                    1. 3

                      Seems the Pinephone is based on the Allwinner A64 SoC and the Pinebook Pro is based on the RK3399 SoC. I’m assuming both have different power management chips, drivers or whatnot.

                    1. 10

                      I submitted this because this is the second time in the week I’ve seen other posts recommending moving the sshd listening port to an unprivileged port and I think this is always a terrible idea.

                      1. 43

                        Now, back to SSH: when we start SSH on port 22, we know for a fact that this is done by root or a root-process since no other user could possibly open that port. But what happens when we move SSH to port 2222? This port can be opened without a privileged account, which means I can write a simple script that listens to port 2222 and mimics SSH in order to capture your passwords. And this can easily be done with simple tools commonly available on every linux system/server. So running SSH on a non-privileged port makes it potentially LESS secure, not MORE. You have no way of knowing if you are talking to the real SSH server or not. This reason, and this reason alone makes it that you should NEVER EVER use a non-privileged port for running your SSH server.

                        The author is suggesting trusting port 22 because it is a “root” process.There is a “way of knowing if you are talking to the real SSH server or not”, and it’s actually one of SSHs features since its first release. I would trust any port, no matter the “privilege level” required to listen on that port, for a single reason: I trust the SSH server based on its fingerprint, not on its listening port; and I know that my server’s key data is only readable by root, it has been like this in almost all SSH default installations for the last 20 years.

                        Now, let’s pretend you STILL want to move the port away because you get so many attacks on your SSH port. First of all: are you able to logon as root? If so, fix that now. Secondly: are you using passwords? If so, fix that now and change into public key authentication.

                        I want to move the port away because of the insane amount of traffic that I have to pay for (if I rent a server, VPS, or anything similar which bills me on network egress/ingress). Disabling password access (for any user) will not make dumb port scans and SSH fingerprinters stop looking at my SSH banner and then decide, based on this information, to just try out username/password combinations, even when my server rejects this authentication method.

                        The rest of the arguments are personal opinion.

                        1. 8

                          Besides, by this reasoning creating a connection to the many many services that run on port >1024 is a bad idea too. Connect to MySQL on 3306? Oh noes! Have your app run on localhost:8080 and a proxy on *:80? Oh noes!

                          1. 3

                            Please move your MySQL port to 306 and launch MySQL as root.

                            1. 1

                              call me crazy but I don’t think “you risk an attacker accessing your database” and “you risk an attacker having a shell to do whatever they want” are really equivalent.

                              1. 1

                                Well, the DB in most cases have much more value to the attacker than your machine, so I would say, that from the pragmatic viewpoint, DB is more likely to be targeted.

                            2. 8

                              the insane amount of traffic that I have to pay for

                              how much money per month do you estimate you were paying for to handle traffic from people attempting to ssh into a given node?

                              1. 3

                                About 2 euro cents a month, per host.

                                1. 1

                                  the question is: how many resources of concurrent connections does this take, which are completely unnecessary and are filling your logs

                                  1. 3

                                    Clearly not enough to make log tuning worthwhile.

                                    A lot of these blanket statements ignore the fact that action or inaction is perfectly reasonable dependent on threat model. But of course, most people making blanket statements aren’t applying a threat model when doing so.

                                2. 6

                                  This was basically what I was going to say.

                                  If a server can somehow knock down sshd, listen on the same unrestricted port, they still would have to present the appropriate hostkeys.

                                  Even then, LSM’s like SELinux, etc can put restrictions on who can name_bind on any port you want. only caveat is that you have to write the policy for it. I am strongly against the >1024 privileged ports restriction in the era of LSMs.

                                  1. 1

                                    I am strongly against the >1024 privileged ports restriction in the era of LSMs.

                                    Can you expand?

                                    1. 1

                                      With LSM you can disable opening any port by all applications and then allow opening ports per application. So on server it allows for much greater security, as you can directly list which application will be able to open connections (and even make it so no port requires super user, as application/user combo will be handled by LSM).

                                      1. 1

                                        This is an argument for LSM-based port binding policies, not against the <1024 requires root policy. Unless the two are mutually exclusive?

                                        1. 1

                                          Not exclusive, but even with LSM allowing the usage of port <1024 you still need to run given program as root. So all you gain is more complexity instead of simplification

                                  2. 2

                                    I trust the SSH server based on its fingerprint

                                    I very rarely know the fingerprint of a server before connecting to it.

                                    For my most commonly used hosts, I can look it up with a little bit of work (sourcehut, github, gitlab) but of those, only github made it easy to find and verify. For a lot of hosts in a corporate cloud though, the instances are torn down and replaced so often that host-based keys are essentially meaningless.

                                    1. 7

                                      If you’re not verifying host keys, you’re basically trusting the network - but you don’t, otherwise you could use telnet instead of ssh.

                                      Maybe look into SSH host key signing, so you just need one public signing key to verify that the host has been provisioned by a trusted entity.

                                      1. 3

                                        It is also possible to use ssh with kerberos. Then you know that the server is the correct one. Even without ssh-fingerprints.

                                      2. 5

                                        You should really start checking the fingerprints. Ignoring that crucial step is how you get hacked. There are way more attack vectors than you can think of. An attacker could get in, for example through your jobs documentation intranet and modify an ip on a document. Or for example, if a DNS server of yours is compromised. If you use password authentication in these situations, you are essentially let the attacker in all servers you have access to.

                                        Other comments already pointed out viable solutions. You should adopt one of them or simply start checking the fingerprints. What you are doing is dangerous.

                                        1. 6

                                          The “implied trust on first use”-model works well enough for many – though perhaps not all – purposes. It’s the “host fingerprint changed”-warning that provides almost all of the security.

                                          1. 2

                                            Most of the security no doubt. Almost all… That is debatable. If something happens once every 1000 would you not care to protect against it because you already provided 99.9% of the security?

                                            What security is in essence, is accounting for the unlikely yet exploitable cases. You look at that attack vectors as a corner case until it is not a corner case anymore. This is how security threats evolve.

                                            1. 1

                                              The thing is, what is the attack vector here, and how do you really protect from it? In your previous post you mentioned modifying the internal documentation to change the IP; but where do you get the host key? From the same internal documentation? Won’t the attacker be able to change that, too?

                                              You can use SSHFP records; but of course an attacker can potentially get access to the DNS too, as you mentioned.

                                              The thing is that good distribution of these fingerprints is not a trivial problem if you’re really worried about these kind of attacks. Are they unfeasible? Certainly not, and if you’re working for a bank, CA registrar, or anything else that has high security requirements you should probably think about all of this. But most of us don’t, and the difficulty of pulling all of this off effectively is so high that most of us don’t really need to worry about it.

                                              We don’t lock our houses with vault doors; a regular door with a regular lock is a “good enough” trade-off for most cases. If you’re rich you may want to have something stronger, and if you’re a bank you want the best. But that’s not most of us.

                                              1. 1

                                                The attack vector is making you believe you are initially trusting the host you think you know, but it is in fact another host.

                                                But you are right, it you misguide a user into connecting to another host, you could also show him another fingerprint and trick them into believing itnid legit too. Fingerprints are just a huge number usually displayed as an unintelligible string of chars. It’s not like the user recognise them by heart.

                                                I do check them if I change computer, or if l connect to a knowm machine I ask a coleage to verify it. But I’ll agree that it.s a trade off and that maybe it.s ok for most people to just trust.

                                    2. 3

                                      I think this post and discussion around it is a waste of time. Right now, wasting my time. But I wanted to come here and proclaim in spectrum of terrible ideas, it doesn’t even register. Do you have scale that starts at terrible and then just goes to some k multiple of terrible?

                                      I moved my ssh port in like 2002 (the year) , and you know what, I no longer had to see 150+ log messages a day about failed logins, it went to zero. Like 1-1. Mission Accomplished.

                                      Please enumerate all the other terrible ideas I shouldn’t follow, might be a good list.

                                      edit, btw, I am just poking good terrible fun at you.

                                    1. 5

                                      There were a few mentions of the laptop being rebranded, and I was curious about alternative vendors/retailers for Tongfang laptops in other regions (EU/US mostly). Apparently, I did not have to search for long, someone already did this about a month back: https://www.reddit.com/r/AMDLaptops/comments/hzlcjo/all_of_the_vendors_that_are_offering_the_tongfang/

                                      1. 5

                                        This was an incredible read, even for amateurs in ASM! Thanks!

                                        You mentioned that at a point, many bots just bombed 0x000, which killed yours. How did they figure out that is a common place to place yourself at?

                                        After each round, are the “bots” revealed to all participants, so that they can inspect eachothers bot, or is it “blind”, and you just have to anticipate your oponents methods?

                                        Apologies for the generic language, assembly is not one of my strong points.

                                        1. 1

                                          This was an incredible read, even for amateurs in ASM! Thanks!

                                          Thank you!

                                          You mentioned that at a point, many bots just bombed 0x000, which killed yours. How did they figure out that is a common place to place yourself at? After each round, are the “bots” revealed to all participants, so that they can inspect eachothers bot, or is it “blind”, and you just have to anticipate your oponents methods?

                                          Right, I should’ve included a gif of the gameplay; perhaps, watch a bit of the stream. So, each bot’s actions are fully visualized as colored boxes in a 32 × 32 grid, and the first 3 days of the event are just “practice” rounds—essentially to understand what others are doing and work around it to some degree for the finals (day 4). You improve your submission after each day of play. Anyway, to answer your question, yeah 0x000 is a fairly common position to place your bot at. And no, the bots aren’t “revealed”, technically. It’s on you to reverse engineer other bots by watching their gameplay.

                                        1. 30

                                          Can someone please help me understand how the announcement of a Linux subsystem for Windows becoming generally available is spam?

                                          Prior to this you needed to be running a Windows Insider build in order to run it. I’ve seen a thousand thousand distro announcement posted here without getting this kind of treatment.

                                          What am I not understanding about the rules and guidelines for this community? Or are people just as downright nasty with the flagging as they seem to be to me?

                                          1. 11

                                            Could be that FOSS purists flagged it since WSL enables people to run Linux on a proprietary OS. (Which, if true, is a very silly reason IMO.)

                                            I think WSL is great. It was a godsend on my previous job which was mostly a Windows kinda place. Before that I used Cygwin, but WSL is much much more convenient.

                                            1. 8

                                              I am a WSL user on some of my Windows systems, and I greatly appreciate it. That being said, a few points regarding “spam”:

                                              • The linked website is Canonical; Canonical has had some controversy regarding contribution to FOSS (back in the day, the company was monetizing a FOSS-derived OS - from Debian, without giving back to the FOSS community). I can only assume that some of the readers saw the intention of Canonical here as to monetize piggybacking on the Microsoft’s WSL2 availability.
                                              • There are multiple text-based advertising paragraphs in the blog post, which mention the enterprise/corporate offering of Canonical and WSL (paragraph 4, and the first paragraph, and the title of the last section)
                                              • The article (May 2020) mentions availability of an O/S in the WSL store. A tutorial (which is mostly generic, applies to almost any WSL2 migration/distro) is also present on the blog post. Ubuntu fails to mention what exactly is the WSL2 OS good for, how does it compare to other distros (or to the main release), what does it bring new (except enterprise support).

                                              Now, some of the above may have not triggered some members of the community. I’m human, so I’m mostly biased, and while I haven’t flagged or hidden this particular story, I can imagine myself having a bad day and flagging an article from a company monetizing FOSS without contributing back as spam (see Google, Amazon).

                                              1. 13

                                                I can imagine myself having a bad day and flagging an article from a company monetizing FOSS without contributing back as spam (see Google, Amazon).

                                                That would be working against the site guidelines. Lobste.rs has always been a place for technical discussion, how that tech is monetized or if its proprietary, GPL or BSD licensed and how the company/individuals contribute back / if at all should have no impact if a story is on topic or not.

                                                Judge the content, not the person/entity behind it.

                                                1. 2

                                                  Now, some of the above may have not triggered some members of the community. I’m human, so I’m mostly biased, and while I haven’t flagged or hidden this particular story, I can imagine myself having a bad day and flagging an article from a company monetizing FOSS without contributing back as spam (see Google, Amazon).

                                                  Right, and you yourself seem to agree that doing so is a mis-use of the flag mechanism.

                                                  The appropriate response would be either a constructive comment or maybe even if you cared to / had time a private message around how the article lacks technical merit and probably doesn’t belong here, accompanied by a simple non upvote.

                                                  Or maybe we need a new flag “lacks technical merit” :)

                                                2. 7

                                                  What am I not understanding about the rules and guidelines for this community? Or are people just as downright nasty with the flagging as they seem to be to me?

                                                  It’s definitely not just you. I’ve noticed frequent “flagging as spam” of late as well - just monitor Recent for a while and you’ll spot it immediately. The articles that are being flagged would certainly not have been flagged a year or two ago. Perhaps this warrants a wider discussion…

                                                  1. 5

                                                    Me too. I had a definitely-not-spam submission flagged the other day as well. I asked the mods to delete it; I don’t submit spam but hell if I wanted to offend anybody. As it turned out, others upvoted so it worked out okay.

                                                    But it left a bad taste in my mouth. I know we’re all supposed to assume positive intent, but as long as we’re not identifying anybody individually, I have a weird feeling that there’s something deliberately negative going on here. I don’t know what, but it doesn’t feel right. Content can be poor quality, bad advice, poorly-written, dated, or off-topic without it being anywhere near spam. In that case just don’t upvote it, or make a comment explaining what you think may be technically bad about the piece. (You know, you might be mistaken! I am mistaken quite a lot) I am concerned something’s not working as it should.

                                                    1. 2

                                                      It’s definitely not just you. I’ve noticed frequent “flagging as spam” of late as well - just monitor Recent for a while and you’ll spot it immediately. The articles that are being flagged would certainly not have been flagged a year or two ago. Perhaps this warrants a wider discussion…

                                                      I definitely think this warrants a wider discussion as well. Take a look at @gerikson’s comment above. There’s no bad intent there, but he’s using the SPAM flag as “I feel this article is lacking in technical merit”. He chose to un-flag as did the other person after I called the flagging choice into question, but I think we need to do some work as a community to come to a common understanding of what the flags are FOR and how we want to use them to make the community better.

                                                      1. 2

                                                        Yes, agreed. Taking a look at a recent story, How To Make Ubuntu Work Like Windows 10, it currently has a score of 5, made up of “+12, -2 off-topic, -5 spam”. Quite a mix, suggesting that there are some differing views about what posts are appropriate.

                                                        1. 3

                                                          I also notice that the flag explanations link in the About page seems broken. I’m going to message the mods about that, might help people to understand the goals of the mechanism better.

                                                          1. 2

                                                            For what it’s worth I went and hunted down the explanation of what flags are for. “Spam” says “promotes a commercial service”. The explanation is in the middle of the “Ranking” section: https://lobste.rs/about

                                                            1. 1

                                                              I think the problem is that some people use “spam” as a catchall when flagged posts they think are inappropriate. I know that some people leave a comment when they do so, at least explaining their thinking, but they’re in the minority.

                                                      2. 7

                                                        I found it borderline, flagged it but I have since unflagged it.

                                                        What I’d like to see: a post that describes the differences between WSL1 and WSL2 and how it pertains to Ubuntu; why WSL2 is worth the update; what changes Ubuntu made to accomodate WSL2, etc.

                                                        Also what I’d like to see, what distribution (if any) is best for WSL ?

                                                        For Ubuntu, the more mindshare they have among WSL users, the better. So this entry can be seen as marketing.

                                                        Final edit I removed a bunch of mildly self-pitying and sarcastic remarks around this comment being flagged, but it looks now I was mistaken. I stand by my words above.

                                                        1. 2

                                                          For Ubuntu, the more mindshare they have among WSL users, the better. So this entry can be seen as marketing.

                                                          Final edit I removed a bunch of mildly self-pitying and sarcastic remarks around this comment being flagged, but it looks now I was mistaken. I stand by my words above.

                                                          If you look at the description for the Spam flag it says: Promotes a commercial service.

                                                          WSL is in fact a closed source proprietary commercial product sold by Microsoft. It’s certainly not a ‘service’ and I personally feel that while this article probably lacks technical merit, it’s probably not Spam under the current definition of the flag either.

                                                          I actually thought long and hard before posting this, and what ultimately swayed me was the fact that WSL now being available to main line Windows 10 users not part of the Windows Insider program seemed like technical information that could be useful and interesting to the community here.

                                                          So I guess the question for this community is - what do we want to be? If release announcements aren’t of interest because they lack the kind of deep technical content we want to see, then perhaps we should consider being clear about that.

                                                          Anyway, lots of good discussion here. Thanks for taking part in it, and again thanks for explaining your motivations.

                                                          1. 1

                                                            a post that describes the differences between WSL1 and WSL2 and how it pertains to Ubuntu; why WSL2 is worth the update

                                                            As I understood it, the main difference is that WSL1 was an emulation layer that translated system calls into the corresponding Windows API calls, whereas WSL2 is a (lightweight) VM running an actual Linux kernel.

                                                            See: https://docs.microsoft.com/en-us/windows/wsl/compare-versions

                                                            1. 1

                                                              I actually installed WSL1 yesterday, and was mildly disappointed my computer is not yet updated to be able to handle WSL2.

                                                              What I meant was I’d like Canonical to expand more on how they’ve worked (or not had to!) to work with WSL2.

                                                              Edit apparently WSL2 is faster, which I appreciate. I’ve been using Cygwin before and reading and processing 10k files there was very fast, in WSL1 it’s painfully slow.

                                                              1. 3

                                                                Yes WSL1’s lackluster performance is well documented. It’s why the put so many engineering hours into creating WSL 2, and the results are impressive.

                                                                Sorry your computer isn’t up to the 2004 version required - I know not everyone is just running Windows at home for themselves and may be locked down by IT or other constraints, but for those who do control their own systems the 2004 update is fully released and anyone can go grab it, it just hasn’t been queued for automatic deployment yet.

                                                                Also I wanted to thank you for your cards up post around why you flagged and un-flagged the article as Spam. I think there’s a disconnect in this community around how flags are used. It seems to me that the mods created flags as a means of allowing the community to police and bar raise itself, but people are instead using them as you did as a way to say “This article lacks technical merit” or in some cases even “I disagree” which to me is an even more egregious abuse of the mechanism.

                                                                1. 1

                                                                  I’ll have to check whether I can update to 2004… we’ve gotten new practices re: computer management from the mothership.

                                                                  I’ve actually been quite happy with Cygwin for my purposes but figured the WSL is The Future(tm) now.

                                                                  1. 1

                                                                    Interesting that you find Cygwin’s performance better than WSL1. I’ve used Cygwin off-an-on for many years but tend to prefer a Linux VM (via Vagrant) when forced to use Windows. In my limited usage I’ve found WSL1 to be a better experience than Cygwin, at least for shell interactive usage - I’ve not done any heavy processing with it.

                                                                    1. 1

                                                                      Glad to hear Cygwin meets your needs. It’s certainly battle tested!

                                                                      One of the things that others have cited in this thread that WSL brings to the table is official support from external tools like IDEs.

                                                                      I can write and debug my code in VSCode or Pycharm, and then deploy and debug in WSL because both tools explicitly have first class support for it.

                                                                      This is a pretty compelling feature for some of us.

                                                                  2. 2

                                                                    I actually installed WSL1 yesterday, and was mildly disappointed my computer is not yet updated to be able to handle WSL2.

                                                                    Dunno if you saw this most recent announcement. They backported it even further. Hope this helps!

                                                                    1. 2

                                                                      Thanks, I did see that! Unfortunately corporate policy still has me stuck on a version that’s too old…

                                                              2. 2

                                                                It’s a little sad to see this. Perhaps this kind of behaviour could be looked at and addressed? Il not sure what to call it, but it feels distasteful to me.

                                                                1. 2

                                                                  I think it’s a simple matter of the community not having a good shared understanding of what the flag feature should be used for.

                                                                  My impression is that the moderators meant for it to be a relatively serious step that could be used to censure posts that are VERY far afield from the intent of the community, but instead people are using it for making statements like “I disagree”, “This lacks technical merit” or “This represents a commercial interest engaging in marketing” which I’d personally assert is part and parcel of “lacks technical merit”.

                                                                  I don’t know how we get the word out about this though without being too heavy handed.

                                                                  1. 2

                                                                    I see some comments with explanations already, which is great, as knowing why is going to be key in finding a better way to solicit the feedback that this is aiming for.

                                                              1. 3

                                                                Hey, author of the post here! Really happy to see it on Lobsters, and I’d be happy to answer any questions and/or comments you have!

                                                                I encountered this “bug” while working on rewriting my iOS app with the new App and Scene structures introduced during WWDC2020. The project is nearing completion, and I’m really excited about how its turning out.

                                                                Enjoy!

                                                                1. 12

                                                                  Unfortunately not related to the content, but for me the font choice made the post too difficult to read.

                                                                  1. 3

                                                                    Understandable. I was attempting to make it “retro,” though I’m going to change the font when I rewrite the site (soon) to make it clearer and load faster.

                                                                    1. 2

                                                                      I agree with you. Try using Reader View if your browser supports it. It’s much better.

                                                                      1. 2

                                                                        Pictures/videos also don’t work in Safari 14.

                                                                        1. 1

                                                                          Yeah, they’re in .webm which for some reason is not supported by Safari despite massive size reductions from mp4. Going to need to add mp4s.

                                                                      2. 3

                                                                        Nice post! Happens to all of us :-)

                                                                        That’s what you get for populating static items in a list. I’m a little confused about the sorting (or whether it works as needed):

                                                                        • Completed tasks are at the bottom. Ongoing tasks are at the top.
                                                                        • Higher priority items are at the top of their category (completed/ongoing).
                                                                        • After above two points, ordering is done ascending, by task name.

                                                                        The above statements sound nice, but:

                                                                        • the UI fails to show important (high prio) tasks
                                                                        • sorting by name is not visible, as the point above. Looking at the videos your provided, it appears sorting is random (although it may not be)

                                                                        I’m not an Apple user, but I would enjoy having a task list with the following features:

                                                                        • Priority items clearly marked (color/“hotness” or font weight)
                                                                        • Completed tasks with a “greyed out”/“disabled” state (the strikethrough helps)
                                                                        • Sorting based on the timestamp when the item was created/modified/completed
                                                                        1. 1

                                                                          Thank you for the great suggestions!

                                                                          Some clarifications about sorting:

                                                                          • The exclamation marks on the trailing side are supposed to be the main indicator of priority, which I understand might be too small of an indicator.
                                                                          • The “ascending task name sort” is just a fancy way of saying alphabetical order. Because it’s the third priority it may seem a little random, but what it does is sort all tasks of the same priority and the same category (completed/ongoing) in alphabetical order.

                                                                          Feature suggestions:

                                                                          • I love the idea of color/weight indicators for priority! Definitely going to implement that going forward.
                                                                          • Completed tasks are grayed out in addition to the strikethrough in the main app, I’ve just yet to implement it in the rewrite.
                                                                          • The timestamp sort would be an important thing, but a big feature of the app is that tasks get deleted at midnight every day so that would be a really short-term thing. I will consider adding it as an additional sort method, though.
                                                                      1. 2

                                                                        So, the two situations where this vulnerability applies (requires SecureBoot to be enabled):

                                                                        • Inside an already booted system where user-space has write access to the EFI partition, or, in general to the grub.cfg file
                                                                        • In an offline attack where someone pulls out the disk, changes the grub.cfg file to exploit this (and inserts an implant which, for example, reads the passphrase for any encrypted root partitions, while you type it) I believe this is an evil maid scenario.

                                                                        The outcome is always the same. The attacker gains arbitrary code execution, while bypassing SecureBoot. The most common result: privileged access to the booted system, after the first reboot.

                                                                        1. 2

                                                                          Excellent technical write-up, and incredible architectural flaw.

                                                                          I’m assuming sacrificing some security for performance is sometimes OK, as long you don’t have to sacrifice all of it. The flaw makes me think that any compromised “Windows Server Container” leads to the ultimate compromise of the container host.

                                                                          Some questions that may have been left unanswered, from my view:

                                                                          • Is MS addressing this in any way?
                                                                          • Most devices are using symbolic links to be mapped at the global level. While the WinObj screenshot of the container/silo shows virtual networking interfaces, would it be possible to exploit this outside of the filesystem space, and also on the other devices (Ethernet, USB HID, cameras, COM ports, smartcards)?
                                                                          1. 14

                                                                            If you want to run your own version, I can highly recommend the independent rust server implementation here: https://github.com/dani-garcia/bitwarden_rs

                                                                            Very easy to set up and compatible with the browser extensions, android app etc.

                                                                            I have been using this for month running it on a raspberry pi behind a VPN at home (with encrypted offsite backup). Works like a charm

                                                                            1. 6

                                                                              Or, you can use @jcs’s rubywarden.

                                                                              1. 1

                                                                                I am trying out bitwarden_rs now and do feel the same usability as the mainstream software. do you have any feedback about rubywarden regarding existing features, usability compared to the main software, and mostly, maintenance tips? thanks!

                                                                              2. 4

                                                                                I run this in a docker container alongside watchtower to keep it up to date. Runs like a champ, I hardly ever have to touch it.

                                                                                1. 3

                                                                                  same here. I am not a fan of docker in general, but trying to compile this myself on a raspi tipped me over the edge towards using docker for this.

                                                                              1. 5

                                                                                My experience with Riot and Matrix has been so far amazing. The adding of cross-signing is a bliss, and a long awaited feature. The cross signing in Android is yet missing on the stable (real) app.

                                                                                Unfortunately, what the article fails to mention is that “RiotX Android” is the unfinished complete rewrite of the Riot Android application (stable), which makes signing unusable for those of us who use the stable app as a daily driver. My personal vendetta with RiotX started a while back, and its memory consumption is about 40% higher than that of its predecessor (I just installed and checked). Battery usage used to be significantly higher, although this might have change since I last checked. The main showstopper for me is: video/audio calls (1:1) are not implemented in this new rewrite.

                                                                                Although I tend to complain alot, I do find Riot/Matrix an amazing piece of software engineering. The cross-signing feature improves usability tenfold and makes secure communication easier for non-IT people too. I just wish I could benefit from it on all my devices.

                                                                                1. 2
                                                                                1. 2
                                                                                  1. 1

                                                                                    Welcome :)

                                                                                  1. 1

                                                                                    I find the article a bit misleading. From where I am sitting, author is confusing AI and automation. Labor automation is real, is happening, and does lead to workers losing jobs. This is happening in most of the industrialized sectors. Yes, AI will not replace any significant amount of jobs anytime soon, but robots (automation, mechanical, non-intelligent) will.

                                                                                    – Written on a portable device assembled by non-human workers

                                                                                    1. 1

                                                                                      This is a really weird situation, I’ve never seen anyone putting any PHPUnit files anywhere accessible in a webroot nor anyone reusing the code in a project. I’d say nearly all people use it as a development dependency, so I find this a little puzzling.

                                                                                      1. 2

                                                                                        There are two options when this might happen:

                                                                                        1. You have a project which makes use of composer. This project has phpunit declared in the required-dev composer configuration property. If you install dependencies by yourself using composer install, it will automatically pull the PHPUnit package into your vendor/ folder. For productive deployments, always use composer install --no-dev

                                                                                        2. You have a project which makes use of composer and the developer mistakenly put PHPUnit in the standard required composer configuration property. Even if you use composer correctly, it will still be in the vendor/ folder.

                                                                                        The sad fact is, some developers made one of the above mistakes for a big project (or a dependency of a big project), and here is where we are now.

                                                                                        1. 1

                                                                                          True, but isn’t this the key line?

                                                                                          This allows an attacker to run arbitrary code via an HTTP request to eval-stdin.php.

                                                                                          How do you get from “this file is in the vendors dir” to “it’s accessible over HTTP”? Dependencies outside of your docroot has been a best practice since 10? 15? years?

                                                                                          Please tell me where my mental error is because “copying arbitrary files into a docroot which shouldn’t be there in the first place” isn’t even an “RCE vulnerability” to me.. The problem seems to be that it’s written in PHP and thus probably/maybe executed when accesses via HTTP, whereas the webserver would probably serve code in any other language as plaintext.

                                                                                          1. 1

                                                                                            How do you get from “this file is in the vendors dir” to “it’s accessible over HTTP”? Dependencies outside of your docroot has been a best practice since 10? 15? years?

                                                                                            Dependencies out of the webroot are not standard. Developers are free to use whatever they want. I looked at Prestashop and it appears not to be the case for them (https://github.com/PrestaShop/PrestaShop). I assume the other product(s) use a similar approach.

                                                                                            I assume some hosters only give upload access to the webroot, therefore projects bundle everything under one roof. One other example that comes through mind is Wordpress (although I don’t think it uses composer).

                                                                                      1. 19

                                                                                        My milter implementation has been completely stable since written in Python 2 in 2011. Now I have to destabilize it because people are taking Python 2 away.

                                                                                        (I do not have tests. Tests would require another milter implementation that was known to be correct.)

                                                                                        Sounds like the Python 3 tests have a completely stable Python 2 implementation to be tested against.

                                                                                        1. 4

                                                                                          My thought exactly.

                                                                                          He can test against live input samples. And some randomly generated ones / edge cases which he should have done anyways.

                                                                                          But of course, it is work. But if his current version really is rock solid, he could just continue running it with python 2 or buy red hat enterprise.

                                                                                        1. 3

                                                                                          So, it seems that the vulnerability can be triggered by just sending a deauth frame and then listening for data frames and trying to decrypt them using a zero temporal key. This is particularly interesting if both AP and client are vulnerable.

                                                                                          Anyone here working with these chips that can provide an estimation of how big the Tx buffers can get? Maybe this can be combined with RTS/CTS frames to guarantee that Tx buffer is filled to the maximum.

                                                                                          1. 2

                                                                                            Beautiful find. Simple and clean exploitation, I’d use this one as a teaching example for this type of bug class (auth bypass due to unsanitized user input).

                                                                                            1. 1

                                                                                              Nice one. I especially like the way the author went after determining the number of columns that the DB was spitting out and then figured out to write content there!

                                                                                              1. 2

                                                                                                interesting concept, I wonder what the difference between the proposed solution (XMPP over Airdrop) and https://briarproject.org/how-it-works/ in functionality and features is.

                                                                                                i have been playing with briar a while back and found it very suitable for these kinds of message exchanges (e.g. no Internet)