1. 11

    I’m not entirely sure if I follow what the threat model is here. “Failure of key rotation results in lack of non-repudiation of communications and indeterminate potential for impersonation and man-in-the-middle attacks” seems hyperbolic at best. It just transfers the key during a migration, which seems like copying your existing pgp key to a new computer. I don’t see the problem really, and it also seems like a good trade-off (constant “key has changed” notifications don’t exactly make things more secure).

    So unless I missed something … Signal Outrage Article #518. The Signal people must have a fun time dealing with this stuff.

    Expecting similar alerts to be sent out to my existing chat threads upon phone changeover, I messaged a few of my more recent chats.

    As I read it they sent it after the key changed? Ehm…

    1. 3

      I think the point here is: should you be able to notice when your chat partner adds/removes devices to their account or not?

      If it’s easy to silently add a device, an attacker who has a few minutes of access to your phone can scan a QR code and eavesdrop on all conversations.

      1. 2

        A Signal identity can only be associated with a single phone at a time.

      2. 2

        Wasn’t very clear to me either, what I got from it:

        1. “Transferring” the key during a migration process There’s some options which can make your Signal experience more secure, and makes transferring the key not possible:
        • disabling Signal PIN (results in complete data loss when re-registering Signal on a new phone, “unless you manually back up and restore”). you would then have to manually backup conversations with a passphrase to get them on a new device
        • the actual key material transfer process requires both devices to be on the same network (at least for me)

        This issue is debatable, e2e with multiple devices is hard to pull off, and not many protocols/applications manage to do it in a usable way (Matrix/Element is the one I know which is the most usable while still secure).

        1. Uninstalling Signal on iOS/Android and then reinstalling

        I assume this happens with iCloud Backup(?)/Google Backup(?) active on the mobile devices, and results in the data/chat history/safety number restoring out of the blue.

        If it happens also when not doing device migration, it does sound like a problem. Seems to me, if this is the case, that Apple/Google may be able to access your Signal conversations and impersonate you.

        I’m hoping someone with more information on the issue(s) might explain better (Moxie, are you here?)

        1. 2

          If it happens also when not doing device migration, it does sound like a problem.

          Yeah, that would be a problem, potentially a huge one (depending on details), but unless I misunderstood something this isn’t the issue at all. All it seems like is “Signal does a cp of my key when I ask it to”, and having the key remain on your local phone after uninstallation has exactly the same threat model as having it on your phone when installing.

          Actually, there is perhaps a tiny potential threat in that last one since keys may be recovered from discarded phones; although you’d expect that anyone would wipe their phone before reselling, and you do need to confirm your phone number again on reinstall in any case IIRC. It’s a very tiny problem at best.

          And since clearing data does seem to remove the key, it doesn’t seem stored remotely on iCloud or whatnot. But “key is stored remotely” is an entirely different thing than what this article is about anyway.

          1. 1

            A stolen key from a discarded phone would not allow an attacker to decrypt past communications due to the signal protocol’s forward secrecy scheme.

            1. 1

              Decryption was never an issue in this article. It’s about impersonation.

      1. 6

        It has been merged to master now, and it seems to be working quite well.

        1. 1

          can’t wait for it to become part of the standard distros’ packaging!

          1. 1

            Mickey Petersen has a nice recipe for how to build it yourself:

            https://www.masteringemacs.org/article/speed-up-emacs-libjansson-native-elisp-compilation

            But you don’t need to check out the native-comp branch as he does, because it’s in master, as I mentioned. Also, I didn’t need the ppa:ubuntu-toolchain-r/ppa for gcc-10 on Ubuntu 20.04.

            The rest of it looks good.

        1. 2

          I’m having trouble figuring out how the routing actually works. The README says:

          Uses the Global Socket Relay Network to connect TCP pipes

          but I can’t find any description of this network — ducking for “Global Socket Relay Network” only returns hits talking about the Global Socket package.

          1. 3

            I had the exact same curiosity. In addition to what you stated, found that:

            The GSRN is a free cloud service and is free to use by anyone.

            As stated by their github repository

            My guess is that it’s similar to TURN, where the GSRN bridges each participants outgoing connection. Sounds very cool for someone who’s hosting at home and doesn’t have a public IP address.

            1. 1

              hosting at home and doesn’t have a public IP address.

              (This is what dynamic DNS is for.)

              1. 4

                Dynamic DNS will not help with the fact that you have no public IP(v4) address. This is the case for many modern ISPs, which provide your modem/router with a native IPv6 stack (including public IPv6 address), but a translated, NATed IPv4 address. This is very common practice in Europe.

                Dynamic DNS is useful when you do have a public IPv4 address, but it gets rotated at a particular interval.

                1. 1

                  Indeed — in Australia sometimes you only get CGNAT IPv4 with no IPv6 at all.

                  1. 1

                    I forgot about carrier-grade NAT, thanks!

            1. 36

              Tangentially related, it seems like macOS on M1 swaps very enthusiastically, to the point of possibly bringing SSD life well under a year: https://twitter.com/marcan42/status/1361151198921826308

              (I didn’t want to post a twitter thread as a submission, but seems like it may be of interest.)

              As marcan42 points out in the thread, this is clearly an OS software issue so it should be patchable in software as well.

              1. 11

                Interesting. I’m up to 5.4TBW; kernel_task has written 69.5GB (!) in 3 days 1 hour of uptime. One to keep an eye on; thanks for sharing.

                1. 8

                  This is madness, I’ve only managed 15 TBW on a Samsung 970 EVO 1TB on an extremely heavily used laptop in 28 months, under 2% the drive’s warrantied TBW, and keenly aware I’ve been hammering the drive at various points. That also includes 2 h00j VMware VMs

                2. 16

                  Not a big problem, just swap out the SSD of your MacBook when it’s dead. Oh wait, it can’t be replaced :/ Another reason to support Right To Repait.

                  1. 5

                    This might be controversial, but I think you’re just watching what happens when miniaturization and integration happens. The SSD on these is basically directly connected to the FSB, and that contributes to the performance of it. How do you make that replaceable effectively?

                    Your ALU used to be a discrete, replaceable component. Then it became integrated. Then L2 cache. Should it stop, especially if integration can make things more reliable (i.e RAM slot failure)?

                    1. 5

                      I think “things that are consumables” such as batteries are those things that absolutely must be replaceable. SSD’s fit that category because they actually wear out over time.

                      But I think you raise good points about other discrete components, not being able to upgrade my RAM sucks, but if it’s more reliable, performant, cheaper and uses less power than alternatives, then it’s a compelling choice.

                      1. 5

                        I agree that this is miniaturization and integration, but I’d argue it’s not strictly necessary for performance.

                        AFAIK the M1 RAM is LPDDR4X-4266 and you can buy DIMMs[*] in this specification as well. The SSD is NVMe and as far as I know there’s nothing special about the signalling compared to an off-the-shelf NVMe SSD.

                        integration can make things more reliable (i.e RAM slot failure)

                        I don’t have any numbers to back this up, but my gut feeling is that in the average upgradable laptop the number of lifetime failures that require replacing the RAM is going to be equal or higher than the number of lifetime failures that require replacing the RAM slot - so there’s a gain and a loss here.

                        I’d suggest it boils down to three things:

                        • Integrating everything on one board (or one package in the case of the RAM) is cheaper to design, manufacture and test.
                        • Integrating everything makes the product smaller and slimmer, and portable device consumers love slim products (as do Apple industrial designers, it would seem).
                        • Upgrading or repairing laptop internals is not something the majority of laptop customers plan to ever do (unfortunately), and there is no other regulatory pressure requiring this (which brings us back to Right to Repair).

                        [*] EDIT: I originally thought you could buy SO-DIMMs in this spec, but maybe only DIMMs. I think it’d be technically possible to have a small size & replaceable standard for these, but maybe the industry is going with soldered RAM to the extent that it doesn’t exist.

                        1. 1

                          I wonder how much putting RAM on as an MCM lets them run LPDDR at those speeds/latencies.

                        2. 1

                          especially if integration can make things more reliable (i.e RAM slot failure)?

                          And yet, the only failing RAM I had in a machine in the last 10 years was a MacBook Pro with on-board RAM. If the machine actually had a DIMM slot, it could’ve been replaced without replacing the whole logic board. (Since the MacBook Pro was just two days old, they replaced the whole system, of course.)

                      2. 2

                        This comment should be a separate post by itself. Thank you for the heads up!

                        1. 2

                          Not a problem on mine somehow (918GB writes in 6 weeks).

                          1. 2

                            I’m second thinking getting an M1 now, maybe I’ll wait for this to be fixed. Hopefully, in time for the new macbook pros. :p

                            Still my current Linux laptop is 4 years old, and has <10TB TBW on its nvme. I haven’t used it a lot in the past 6 months but it has been in used daily before that. So, 918GB in six weeks still seems like a lot.

                            1. 2

                              shurg

                              Just checked my 3.5 year old MB12, it had 27.5TB writes over 182-ish weeks, which is roughly 0.9TB/6W. So yeah, it’s normal.

                              1. 1

                                I’ve had a 2019 MBP from work for almost a year now, and I’m at 65.8 TB written. I don’t think this is an M1 problem so much as a macOS problem (if indeed it’s actually a problem).

                                1. 1

                                  Yes it’s certainly an OS issue.

                                  Could be some combination of usage patterns with memory configuration. Like I don’t do npm or use any heavyweight IDEs, maybe they provoke the system to swapping out more.

                                2. 1

                                  FWIW smartctl claims 27 TB written on my mid-2012 MBA11. I’m no expert, but I think my wearout is all zeroed out. Can’t upgrade past 10.15, not sure if OS matters.

                            2. 1

                              I have had this experience with macOS (VM) in general, testing my memory profiler’s OOM detection (https://pythonspeed.com/fil). it seems much more aggressive about swapping than Linux, to the point where I needed to come up with a different heuristic.

                            1. 37

                              Hello, I am here to derail the Rust discussion before it gets started. The culprit behind sudo’s vast repertoire of vulnerabilities, and more broadly of bugs in general, is accountable almost entirely to one matter: its runaway complexity.

                              We have another tool which does something very similar to sudo which we can compare with: doas. The portable version clocks in at about 500 lines of code, its man pages are a combined 157 lines long, and it has had two CVEs (only one of which Rust would have prevented), or approximately one every 30 months.

                              sudo is about 120,000 lines of code (100x more), its had 140 CVEs, or about one every 2 months since the CVE database came into being 21 years ago. Its man pages are about 10,000 lines and include the following:

                              $ man sudoers | grep -C1 despair
                              The sudoers file grammar will be described below in Extended Backus-Naur
                              Form (EBNF).  Don't despair if you are unfamiliar with EBNF; it is fairly
                              simple, and the definitions below are annotated.
                              

                              If you want programs to be more secure, stable, and reliable, the key metric to address is complexity. Rewriting it in Rust is not the main concern.

                              1. 45

                                its had 140 CVEs

                                Did you even look at that list? Most of those are not sudo vulnerabilities but issues in sudo configurations distros ship with. The actual list is more like 39, and a number of them are “disputed” and most are low-impact. I didn’t do a full detailed analysis of the issues, but the implication that it’s had “140 security problems” is simply false.

                                sudo is about 120,000 lines of code

                                More like 60k if you exclude the regress (tests) and lib directories, and 15k if you exclude the plugins (although the sudoers plugin is 40k lines, which most people use). Either way, it’s at least half of 120k.

                                Its man pages are about 10,000 lines and include the following:

                                12k, but this also includes various technical documentation (like the plugin API); the main documentation in sudoers(1) is 741 lines, and sudoers(5) is 3,255 lines. Well under half of 10,000.

                                We have another tool which does something very similar to sudo which we can compare with: doas.

                                Except that it only has 10% of the features, or less. This is good if you don’t use them, and bad if you do. But I already commented on this at HN so no need to repeat that here.

                                1. 12

                                  You’re right about these numbers being a back-of-the-napkin analysis. But even your more detailed analysis shows that the situation is much graver with sudo. I am going to include plugins, becuase if they ship, they’re a liability. And their docs, because they felt the need to write them. You can’t just shove the complexity you don’t use and/or like under the rug. Heartbleed brought the internet to its knees because of a vulnerability in a feature no one uses.

                                  And yes, doas has 10% of the features by count - but it has 99% of the features by utility. If you need something in the 1%, what right do you have to shove it into my system? Go make your own tool! Your little feature which is incredibly useful to you is incredibly non-useful to everyone else, which means fewer eyes on it, and it’s a security liability to 99% of systems as such. Not every feature idea is meritous. Scope management is important.

                                  1. 9

                                    it has 99% of the features by utility

                                    Citation needed.

                                    what right do you have to shove it into my system?

                                    Nobody is shoving anything into your system. The sudo maintainers have the right to decide to include features, and they’ve been exercising that right. You have the right to skip sudo and write your own - and you’ve been exercising that right too.

                                    Go make your own tool!

                                    You’re asking people to undergo the burden of forking or re-writing all of the common functionality of an existing tool just so they can add their one feature. This imposes a great cost on them. Meanwhile, including that code or feature into an existing tool imposes only a small (or much smaller) cost, if done correctly - the incremental cost of adding a new feature to an existing system.

                                    The key phrase here is “if done correctly”. The consensus seems to be that sudo is suffering from poor engineering practices - few or no tests, including with the patch that (ostensibly) fixes this bug. If your software engineering practices are bad, then simpler programs will have fewer bugs only because there’s less code to have bugs in. This is not a virtue. Large, complex programs can be built to be (relatively) safe by employing tests, memory checkers, good design practices, good architecture (which also reduces accidental complexity) code reviews, and technologies that help mitigate errors (whether that be a memory-safe GC-less language like Rust or a memory-safe GC’ed language like Python). Most features can (and should) be partitioned off from the rest of the design, either through compile-time flags or runtime architecture, which prevents them from incurring security or performance penalties.

                                    Software is meant to serve the needs of users. Users have varied use-cases. Distinct use-cases require more code to implement, and thereby incur complexity (although, depending on how good of an engineer one is, additional accidental complexity above the base essential complexity may be added). If you want to serve the majority of your users, you must incur some complexity. If you want to still serve them, then start by removing the accidental complexity. If you want to remove the essential complexity, then you are no longer serving your users.

                                    The sudo project is probably designed to serve the needs of the vast majority of the Linux user-base, and it succeeds at that, for the most part. doas very intentionally does not serve the needs of the vast majority of the linux user-base. Don’t condemn a project for trying to serve more users than you are.

                                    Not every feature idea is meritous.

                                    Serving users is meritous - or do you disagree?

                                    1. 6

                                      Heartbleed brought the internet to its knees because of a vulnerability in a feature no one uses.

                                      Yes, but the difference is that these are features people actually use, which wasn’t the case with Heartleed. Like I mentioned, I think doas is great – I’ve been using it for years and never really used (or liked) sudo because I felt it was far too complex for my needs, before doas I just used su. But I can’t deny that for a lot of other people (mainly organisations, which is the biggest use-case for sudo in the first place) these features are actually useful.

                                      Go make your own tool! Your little feature which is incredibly useful to you is incredibly non-useful to everyone else

                                      A lot of these things aren’t “little” features, and many interact with other features. What if I want doas + 3 flags from sudo + LDAP + auditing? There are many combinations possible, and writing a separate tool for every one of them isn’t really realistic, and all of this also required maintenance and reliable consistent long-term maintainers are kind of rare.

                                      Scope management is important.

                                      Yes, I’m usually pretty explicit about which use cases I want to solve and which I don’t want to solve. But “solving all the use cases” is also a valid scope. Is this a trade-off? Sure. But everything here is.

                                      The real problem isn’t so much sudo; but rather that sudo is the de-facto default in almost all Linux distros (often installed by default, too). Ideally, the default should be the simplest tool which solves most of the common use cases (i.e. doas), and people with more complex use cases can install sudo if they need it. I don’t know why there aren’t more distros using doas by default (probably just inertia?)

                                      1. 0

                                        What if I want doas + 3 flags from sudo + LDAP + auditing?

                                        Tough shit? I want a pony, and a tuba, and barbie doll…

                                        But “solving all the use cases” is also a valid scope.

                                        My entire thesis is that it’s not a valid scope. This fallacy leads to severe and present problems like the one we’re discussing today. You’re begging the question here.

                                        1. 4

                                          Tough shit? I want a pony, and a tuba, and barbie doll…

                                          This is an extremely user-hostile attitude to have (and don’t try claiming that telling users with not-even-very-obscure use-cases to write their own tools isn’t user-hostile).

                                          I’ve noticed that some programmers are engineers that try to build tools to solve problems for users, and some are artists that build programs that are beautiful or clever, or just because they can. You appear to be one of the latter, with your goal being crafting simple, beautiful systems. This is fine. However, this is not the mindset that allows you to build either successful systems (in a marketshare sense) or ones that are useful for many people other than yourself, for previously-discussed reasons. The sudo maintainers are trying to build software for people to use. Sure, there’s more than one way to do that (integration vs composition), but there are ways to do both poorly, and claiming the moral high ground for choosing simplicity (composition) is not only poor form but also kind of bad optics when you haven’t even begun to demonstrate that it’s a better design strategy.

                                          My entire thesis is that it’s not a valid scope.

                                          A thesis which you have not adequately defended. Your statements have amounted to “This bug is due to sudo’s complexity which is driven by the target scope/number of features that it has”, while both failing to provide any substantial evidence that this is the case (e.g. showing that sudo’s bugs are due to feature-driven essential complexity alone, and not use of a memory-unsafe language, poor software engineering practices (which could lead to either accidental complexity or directly to bugs themselves), or simple chance/statistics) and not actually providing any defense for the thesis as stated. Assume that @arp242 didn’t mean “all” the usecases, but instead “the vast majority” of them - say, enough that it works for 99.9% of users. Why is this “invalid”, exactly? It’s easy for me to imagine the argument being “this is a bad idea”, but I can’t imagine why you would think that it’s logically incoherent.

                                          Finally, you have repeatedly conflated “complexity” and “features”. Your entire argument is, again, invalid if you can’t show that sudo’s complexity is purely (or even mostly) essential complexity, as opposed to accidental complexity coming from being careless etc.

                                    2. 9

                                      I dont’t think “users (distros) make a lot of configuration mistakes” is a good defence when arguing if complexity is the issue.

                                      But I do agree about feature set. And I feel like arguing against complexity for safety is wrong (like ddevault was doing), because systems inevitably grow complex. We should still be able to build safe, complex systems. (Hence why I’m a proponent of language innovation and ditching C.)

                                      1. 11

                                        I dont’t think “users (distros) make a lot of configuration mistakes” is a good defence when arguing if complexity is the issue.

                                        It’s silly stuff like (ALL : ALL) NOPASSWD: ALL. “Can run sudo without a password” seems like a common theme: some shell injection is found in the web UI and because the config is really naïve (which is definitely not the sudo default) it’s escalated to root.

                                        Others aren’t directly related to sudo configuration as such; for example this one has a Perl script which is run with sudo that can be exploited to run arbitrary shell commands. This is also a common theme: some script is run with sudo, but the script has some vulnerability and is now escalated to root as it’s run with sudo.

                                        I didn’t check all of the issues, but almost all that I checked are one of the above; I don’t really see any where the vulnerability is caused directly by the complexity of sudo or its configuration; it’s just that running anything as root is tricky: setuid returns 432 results, three times that of sudo, and I don’t think that anyone can argue that setuid is complex or that setuid implementations have been riddled with security bugs.

                                        Other just mention sudo in passing by the way; this one is really about an unrelated remote exec vulnerability, and just mentions “If QCMAP_CLI can be run via sudo or setuid, this also allows elevating privileges to root”. And this one isn’t even about sudo at all, but about a “sudo mode” plugin for TYPO3, presumably to allow TYPO3 users some admin capabilities without giving away the admin password. And who knows why this one is even returned in a search for “sudo” as it’s not mentioned anywhere.

                                        1. 3

                                          it’s just that running anything as root is tricky: setuid returns 432 results, three times that of sudo

                                          This is comparing apples to oranges. setuid affects many programs, so obviously it would have more results than a single program would. If you’re going to attack my numbers than at least run the same logic over your own.

                                          1. 2

                                            It is comparing apples to apples, because many of the CVEs are about other program’s improper sudo usage, similar to improper/insecure setuid usage.

                                            1. 2

                                              Well, whatever we’re comparing, it’s not making much sense.

                                              1. If sudo is hard to use and that leads to security problems through its misusage, that’s sudo’s fault. Or do you think that the footguns in C are not C’s fault, either? I thought you liked Rust for that very reason. For this reason the original CVE count stands.
                                              2. But fine, let’s move on on the presumption that the original CVE count is not appropriate to use here, and instead reference your list of 39 Ubuntu vulnerabilities. 39 > 2, Q.E.D. At this point we are comparing programs to programs.
                                              3. You now want to compare this with 432 setuid results. You are comparing programs with APIs. Apples to oranges.

                                              But, if you’re trying to bring this back and compare it with my 140 CVE number, it’s still pretty damning for sudo. setuid is an essential and basic feature of Unix, which cannot be made any smaller than it already is without sacrificing its essential nature. It’s required for thousands of programs to carry out their basic premise, including both sudo and doas! sudo, on the other hand, can be made much simpler and still address its most common use-cases, as demonstrated by doas’s evident utility. It also has a much smaller exposure: one non-standard tool written in the 80’s and shunted along the timeline of Unix history every since, compared to a standardized Unix feature introduced by DMR himself in the early 70’s. And setuid somehow has only 4x the number of footgun incidents? sudo could do a hell of a lot better, and it can do so by trimming the fat - a lot of it.

                                              1. 3

                                                If sudo is hard to use and that leads to security problems through its misusage, that’s sudo’s fault.

                                                It’s not because it’s hard to use, it’s just that its usage can escalate other more (relatively) benign security problems, just like setuid can. This is my point, as a reply to stephank’s comment. This is inherent to running anything as root, with setuid, sudo, or doas, and why we have capabilities on Linux now. I bet that if doas would be the default instead of sudo we’d have a bunch of CVEs about improper doas usage now, because people do stupid things like allowing anyone to run anything without password and then write a shitty web UI in front of that. That particular problem is not doas’s (or sudo’s) fault, just as cutting myself with the kitchen knife isn’t the knife’s fault.

                                                reference your list of 39 Ubuntu vulnerabilities. 39 > 2, Q.E.D.

                                                Yes, sudo has had more issues in total; I never said it doesn’t. It’s just a lot lower than what you said, and quite a number are very low-impact, so I just disputed the implication that sudo is a security nightmare waiting to happen: it’s track record isn’t all that bad. As always, more features come with more (security) bugs, but use cases do need solving somehow. As I mentioned, it’s a trade-off.

                                                sudo, on the other hand, can be made much simpler and still address its most common use-cases, as demonstrated by doas’s evident utility

                                                We already agreed on this yesterday on HN, which I repeated here as well; all I’m adding is “but sudo is still useful, as it solves many more use cases” and “sudo isn’t that bad”.

                                                Interesting thing to note: sudo was removed from OpenBSD by millert@openbsd.org; who is also the sudo maintainer. I think he’ll agree that “sudo is too complex for it to the default”, which we already agree on, but not that sudo is “too complex to exist”, which is where we don’t agree.

                                                Could sudo be simpler or better architectured to contain its complexity? Maybe. I haven’t looked at the source or use cases in-depth, and I’m not really qualified to make this judgement.

                                        2. 5

                                          I think arguing against complexity is one of the core principles of UNIX philosophy, and it’s gotten us quite far on the operating system front.

                                          If simplicity was used in sudo, this particular vulnerability would not have been possible to trigger it: why have sudoedit in the first place, which just implies the -e flag? This statement is a guarantee.

                                          If it would’ve ditched C, there is no guarantee that this issue wouldn’t have happened.

                                        3. 2

                                          Did you even look at that list? Most of those are not sudo vulnerabilities but issues in sudo configurations distros ship with.

                                          If even the distros can’t understand the configuration well enough to get it right, what hope do I have?

                                        4. 16

                                          OK maybe here’s a more specific discussion point:

                                          There can be logic bugs in basically any language, of course. However, the following classes of bugs tend to be steps in major exploits:

                                          • Bounds checking issues on arrays
                                          • Messing around with C strings at an extremely low level

                                          It is hard to deny that, in a universe where nobody ever messed up those two points, there are a lot less nasty exploits in the world in systems software in particular.

                                          Many other toolchains have decided to make the above two issues almost non-existent through various techniques. A bunch of old C code doesn’t handle this. Is there not something that can be done here to get the same productivity and safety advantages found in almost every other toolchain for tools that form the foundation of operating computers? Including a new C standard or something?

                                          I can have a bunch of spaghetti code in Python, but turning that spaghetti into “oh wow argv contents ran over some other variables and messed up the internal state machine” is a uniquely C problem, but if everyone else can find solutions, I feel like C could as well (including introducing new mechanisms to the language. We are not bound by what is printed in some 40-year-old books, and #ifdef is a thing).

                                          EDIT: forgot to mention this, I do think that sudo is a bit special given that its default job is to take argv contents and run them. I kinda agree that sudo is a bit special in terms of exploitability. But hey, the logic bugs by themselves weren’t enough to trigger the bug. When you have a multi-step exploit, anything on the path getting stopped is sufficient, right?

                                          1. 14

                                            +1. Lost in the noise of “but not all CVEs…” is the simple fact that this CVE comes from an embarrassing C string fuckup that would be impossible, or at least caught by static analysis, or at very least caught at runtime, in most other languages. If “RWIIR” is flame bait, then how about “RWIIP” or at least “RWIIC++”?

                                            1. 1

                                              I be confused… what does the P in RWIIP mean?

                                              1. 3

                                                Pascal?

                                                1. 1

                                                  Python? Perl? Prolog? PL/I?

                                                2. 2

                                                  Probably Python, given the content of the comment by @rtpg. Python is also memory-safe, while it’s unclear to me whether Pascal is (a quick search reveals that at least FreePascal is not memory-safe).

                                                  Were it not for the relative (accidental, non-feature-providing) complexity of Python to C, I would support RWIIP. Perhaps Lua would be a better choice - it has a tiny memory and disk footprint while also being memory-safe.

                                                  1. 2

                                                    Probably Python, given the content of the comment by @rtpg. Python is also memory-safe, while it’s unclear to me whether Pascal is (a quick search reveals that at least FreePascal is not memory-safe).

                                                    That’s possibly it.

                                                    Perhaps Lua would be a better choice - it has a tiny memory and disk footprint while also being memory-safe.

                                                    Not to mention that Lua – even when used without LuaJIT – is simply blazingly fast compared to other scripting languages (Python, Perl, &c)!

                                                    For instance, see this benchmark I did sometime ago: https://0x0.st/--3s.txt. I had implemented Ackermann’s function in various languages (the “./ack” file is the one in C) to get a rough idea on their execution speed, and lo and behold Lua turned out to be second only to the C implementation.

                                            2. 15

                                              I agree that rewriting things in Rust is not always the answer, and I also agree that simpler software makes for more secure software. However, I think it is disingenuous to compare the overall CVE count for the two programs. Would you agree that sudo is much more widely installed than doas (and therefore is a larger target for security researchers)? Additionally, most of the 140 CVEs linked were filed before October 2015, which is when doas was released. Finally, some of the linked CVEs aren’t even related to code vulnerabilities in sudo, such as the six Quest DR Series Disk Backup CVEs (example).

                                              1. 4

                                                I would agree that sudo has a bigger target painted on its back, but it’s also important to acknowledge that it has a much bigger back - 100× bigger. However, I think the comparison is fair. doas is the default in OpenBSD and very common in NetBSD and FreeBSD systems as well, which are at the heart of a lot of high-value operations. I think it’s over the threshold where we can consider it a high-value target for exploitation. We can also consider the kinds of vulnerabilities which have occured internally within each project, without comparing their quantity to one another, to characterize the sorts of vulnerabilities which are common to each project, and ascertain something interesting while still accounting for differences in prominence. Finally, there’s also a bias in the other direction: doas is a much simpler tool, shipped by a team famed for its security prowess. Might this not dissuade it as a target for security researchers just as much?

                                                Bonus: if for some reason we believed that doas was likely to be vulnerable, we could conduct a thorough audit on its 500-some lines of code in an hour or two. What would the same process look like for sudo?

                                                1. -1

                                                  but it’s also important to acknowledge that it has a much bigger back - 100× bigger.

                                                  Sorry but I miss the mass of users pretesting on the streets for tools that have 100x code compare to other tools providing similar functionality.

                                                  1. 10

                                                    What?

                                              2. 10

                                                So you’re saying that 50% of the CVEs in doas would have been prevented by writing it in Rust? Seems like a good reason to write it in Rust.

                                                1. 11

                                                  Another missing point is that Rust is only one of many memory safe languages. Sudo doesn’t need to be particularly performant or free of garbage collection pauses. It could be written in your favorite GCed language like Go, Java, Scheme, Haskell, etc. Literally any memory safe language would be better than C for something security-critical like sudo, whether we are trying to build a featureful complex version like sudo or a simpler one like doas.

                                                  1. 2

                                                    Indeed. And you know, Unix in some ways have been doing this for years anyway with Perl, python and shell scripts.

                                                    1. 2

                                                      I’m not a security expert, so I’m be happy to be corrected, but if I remember correctly, using secrets safely in a garbage collected language is not trivial. Once you’ve finished working with some secret, you don’t necessarily know how long it will remain in memory before it’s garbage collected, or whether it will be securely deleted or just ‘deallocated’ and left in RAM for the next program to read. There are ways around this, such as falling back to manual memory control for sensitive data, but as I say, it’s not trivial.

                                                      1. 2

                                                        That is true, but you could also do the secrets handling in a small library written in C or Rust and FFI with that, while the rest of your bog-standard logic not beholden to the issues that habitually plague every non-trivial C codebase.

                                                        1. 2

                                                          Agreed.

                                                          Besides these capabilities, ideally a language would also have ways of expressing important security properties of code. For example, ways to specify that a certain piece of data is secret and ensure that it can’t escape and is properly overwritten when going out of scope instead of simply being dropped, and ways to specify a requirement for certain code to use constant time to prevent timing side channels. Some languages are starting to include things like these.

                                                          Meanwhile when you try to write code with these invariants in, say, C, the compiler might optimize these desired constraints away (overwriting secrets is a dead store that can be eliminated, the password checker can abort early when the Nth character of the hash is wrong, etc) because there is no way to actually express those invariants in the language. So I understand that some of these security-critical things are written in inline assembly to prevent these problems.

                                                          1. 1

                                                            overwriting secrets is a dead store that can be eliminated

                                                            I believe that explicit_bzero(3) largely solves this particular issue in C.

                                                            1. 1

                                                              Ah, yes, thanks!

                                                              It looks like it was added to glibc in 2017. I’m not sure if I haven’t looked at this since then, if the resources I was reading were just not up to date, or if I just forgot about this function.

                                                  2. 8

                                                    I do think high complexity is the source of many problems in sudo and that doas is a great alternative to avoid many of those issues.

                                                    I also think sudo will continue being used by many people regardless. If somebody is willing to write an implementation in Rust which might be just as complex but ensures some level of safety, I don’t see why that wouldn’t be an appropriate solution to reducing the attack surface. I certainly don’t see why we should avoid discussing Rust just because an alternative to sudo exists.

                                                    1. 2

                                                      Talking about Rust as an alternative is missing the forest for the memes. Rust is a viral language (in the sense of internet virality), and a brain worm that makes us all want to talk about it. But in actual fact, C is not the main reason why anything is broken - complexity is. We could get much more robust and reliable software if we focused on complexity, but instead everyone wants to talk about fucking Rust. Rust has its own share of problems, chief among them its astronomical complexity. Rust is not a moral imperative, and not even the best way of solving these problems, but it does have a viral meme status which means that anyone who sees through its bullshit has to proactively fend off the mob.

                                                      1. 32

                                                        But in actual fact, C is not the main reason why anything is broken - complexity is.

                                                        Offering opinions as facts. The irony of going on to talk about seeing through bullshit.

                                                        1. 21

                                                          I don’t understand why you hate Rust so much but it seems as irrational as people’s love for it. Rust’s main value proposition is that it allows you to write more complex software that has fewer bugs, and your point is that this is irrelevant because the software should just be less complex. Well I have news for you, software is not going to lose any of its complexity. That’s because we want software to do stuff, the less stuff it does the less useful it becomes, or you have to replace one tool with two tools. The ecosystem hasn’t actually become less complex when you do that, you’re just dividing the code base into two chunks that don’t really do what you want. I don’t know why you hate Rust so much to warrant posting anywhere the discussion might come up, but I would suggest if you truly cannot stand it that you use some of your non-complex software to filter out related keywords in your web browser.

                                                          1. 4

                                                            Agree with what you’ve wrote, but just to pick at a theme that’s bothering me on this thread…

                                                            I don’t understand why you hate Rust so much but it seems as irrational as people’s love for it.

                                                            This is obviously very subjective, and everything below is anecdotal, but I don’t agree with this equivalence.

                                                            In my own experience, everyone I’ve met who “loves” or is at least excited about rust seems to feel so for pretty rational reasons: they find the tech interesting (borrow checking, safety, ML-inspired type system), or they enjoy the community (excellent documentation, lots of development, lots of online community). Or maybe it’s their first foray into open source, and they find that gratifying for a number of reasons. I’ve learned from some of these people, and appreciate the passion for what they’re doing. Not to say they don’t exist, but I haven’t really seen anyone “irrationally” enjoy rust - what would that mean? I’ve seen floating around a certain spiteful narrative of the rust developer as some sort of zealous online persona that engages in magical thinking around the things rust can do for them, but I haven’t really seen this type of less-than-critical advocacy any more for rust than I have seen for other technologies.

                                                            On the other hand I’ve definitely seen solid critiques of rust in terms of certain algorithms being tricky to express within the constraints of the borrow checker, and I’ve also seen solid pushback against some of the guarantees that didn’t hold up in specific cases, and to me that all obviously falls well within the bounds of “rational”. But I do see a fair amount of emotionally charged language leveled against not just rust (i.e. “bullshit” above) but the rust community as well (“the mob”), and I don’t understand what that’s aiming to accomplish.

                                                            1. 3

                                                              I agree with you, and I apologize if it came across that I think rust lovers are irrational - I for one am a huge rust proselytizer. I intended for the irrationality I mentioned to be the perceived irrationality DD attributes to the rust community

                                                              1. 2

                                                                Definitely no apology needed, and to be clear I think the rust bashing was coming from elsewhere, I just felt like calling it to light on a less charged comment.

                                                              2. 1

                                                                I think the criticism isn’t so much that people are irrational in their fondness of Rust, but rather that there are some people who are overly zealous in their proselytizing, as well as a certain disdain for everyone who is not yet using Rust.

                                                                Here’s an example comment from the HN thread on this:

                                                                Another question is who wants to maintain four decades old GNU C soup? It was written at a different time, with different best practices.

                                                                In some point someone will rewrite all GNU/UNIX user land in modern Rust or similar and save the day. Until this happens these kind of incidents will happen yearly.

                                                                There are a lot of things to say about this comment, and it’s entirely false IMO, but it’s not exactly a nice comment, and why Rust? Why not Go? Or Python? Or Zig? Or something else.

                                                                Here’s another one:

                                                                Rust is modernized C. You are looking for something that already exists. If C programmers would be looking for tools to help catch bugs like this and a better culture of testing and accountability they would be using Rust.

                                                                The disdain is palatable in this one, and “Rust is modernized C” really misses the mark IMO; Rust has a vastly different approach. You can consider this a good or bad thing, but it’s really not the only approach towards memory-safe programming languages.


                                                                Of course this is not representative for the entire community; there are plenty of Rust people that I like and have considerably more nuanced views – which are also expressed in that HN thread – but these comments certainly are frequent enough to give a somewhat unpleasant taste.

                                                              3. 2

                                                                While I don’t approve of the deliberately inflammatory form of the comments, and don’t agree with the general statement that all complexity is eliminateable, I personally agree that, in this particular case, simplicity > Rust.

                                                                As a thought experiment, world 1 uses sudo-rs as a default implementation of sudo, while world 2 uses 500 lines of C which is doas. I do think that world 2 would be generally more secure. Sure, it’ll have more segfaults, but fewer logical bugs.

                                                                I also think that the vast majority of world 2 populace wouldn’t notice the absence of advanced sudo features. To be clear, the small fraction that needs those features would have to install sudo, and they’ll use the less tested implementation, so they will be less secure. But that would be more than offset by improved security of all the rest.

                                                                Adding a feature to a program always has a cost for those who don’t use this feature. If the feature is obscure, it might be overall more beneficial to have a simple version which is used by the 90% of the people, and a complex for the rest 10%. The 10% would be significantly worse off in comparison to the unified program. The 90% would be slightly better off. But 90% >> 10%.

                                                                1. 2

                                                                  Rust’s main value proposition is that it allows you to write more complex software that has fewer bugs

                                                                  I argue that it’s actually that it allows you to write fast software with fewer bugs. I’m not entirely convinced that Rust allows you to manage complexity better than, say, Common Lisp.

                                                                  That’s because we want software to do stuff, the less stuff it does the less useful it becomes

                                                                  Exactly. Software is written for people to use. (technically, only some software - other software (such as demoscenes) is written for the beauty of it, or the enjoyment of the programmer; but in this discussion we only care about the former)

                                                                  The ecosystem hasn’t actually become less complex when you do that

                                                                  Even worse - it becomes more complex. Now that you have two tools, you have two userbases, two websites, two source repositories, two APIs, two sets of file formats, two packages, and more. If the designs of the tools begin to differ substantially, you have significantly more ecosystem complexity.

                                                                  1. 2

                                                                    You’re right about Rust value proposition, I should have added performance to that sentence. Or, I should have just said managed language, because as another commenter pointed out Rust is almost irrelevant to this whole conversation when it comes to preventing these type of CVEs

                                                                  2. 1

                                                                    The other issue is that it is a huge violation of principle of least privilege. Those other features are fine, but do they really need to be running as root?

                                                              4. 7

                                                                Just to add to that: In addition to having already far too much complexity, it seems the sudo developers have a tendency to add even more features: https://computingforgeeks.com/better-secure-new-sudo-release/

                                                                Plugins, integrated log server, TLS support… none of that are things I’d want in a tool that should be simple and is installed as suid root.

                                                                (Though I don’t think complexity vs. memory safety are necessarily opposed solutions. You could easily imagine a sudo-alike too that is written in rust and does not come with unnecessary complexity.)

                                                                1. 4

                                                                  What’s wrong with EBNF and how is it related to security? I guess you think EBNF is something the user shouldn’t need to concern themselves with?

                                                                  1. 6

                                                                    There’s nothing wrong with EBNF, but there is something wrong with relying on it to explain an end-user-facing domain-specific configuration file format for a single application. It speaks to the greater underlying complexity, which is the point I’m making here. Also, if you ever have to warn your users not to despair when reading your docs, you should probably course correct instead.

                                                                    1. 2

                                                                      Rewrite: The point that you made in your original comment is that sudo has too many features (disguising it as a point about complexity). The manpage snippet that you’re referring to has nothing to do with features - it’s a mix between (1) the manpage being written poorly and (2) a bad choice of configuration file format resulting in accidental complexity increase (with no additional features added).

                                                                    2. 1

                                                                      EBNF as a concept aside; the sudoers manpage is terrible.

                                                                    3. 3

                                                                      Hello, I am here to derail the Rust discussion before it gets started.

                                                                      I am not sure what you are trying to say, let me guess with runaway complexity.

                                                                      • UNIX is inherently insecure and it cannot be made secure by any means
                                                                      • sudo is inherently insecure and it cannot be made secure by any means

                                                                      Something else maybe?

                                                                      1. 4

                                                                        Technically I agree with both, though my arguments for the former are most decidedly off-topic.

                                                                        1. 5

                                                                          Taking Drew’s statement at face value: There’s about to be another protracted, pointless argument about rewriting things in rust, and he’d prefer to talk about something more practically useful?

                                                                          1. 7

                                                                            I don’t understand why you would care about preventing a protracted, pointless argument on the internet. Seems to me like trying to nail jello to a tree.

                                                                        2. 3

                                                                          This is a great opportunity to promote doas. I use it everywhere these days, and though I don’t consider myself any sort of Unix philosophy purist, it’s a good example of “do one thing well”. I’ll call out Ted Unangst for making great software. Another example is signify. Compared to other signing solutions, there is much less complexity, much less attack surface, and a far shallower learning curve.

                                                                          I’m also a fan of tinyssh. It has almost no knobs to twiddle, making it hard to misconfigure. This is what I want in security-critical software.

                                                                          Relevant link: Features Are Faults.

                                                                          All of the above is orthogonal to choice of implementation language. You might have gotten a better response in the thread by praising doas and leaving iron oxide out of the discussion. ‘Tis better to draw flies with honey than with vinegar. Instead, you stirred up the hornets’ nest by preemptively attacking Rust.

                                                                          PS. I’m a fan of your work, especially Sourcehut. I’m not starting from a place of hostility.

                                                                          1. 3

                                                                            If you want programs to be more secure, stable, and reliable, the key metric to address is complexity. Rewriting it in Rust is not the main concern.

                                                                            Why can’t we have the best of both worlds? Essentially a program copying the simplicity of doas, but written in Rust.

                                                                            1. 2

                                                                              Note that both sudo and doas originated in OpenBSD. :)

                                                                              1. 9

                                                                                Got a source for the former? I’m pretty sure sudo well pre-dates OpenBSD.

                                                                                Sudo was first conceived and implemented by Bob Coggeshall and Cliff Spencer around 1980 at the Department of Computer Science at SUNY/Buffalo. It ran on a VAX-11/750 running 4.1BSD. An updated version, credited to Phil Betchel, Cliff Spencer, Gretchen Phillips, John LoVerso and Don Gworek, was posted to the net.sources Usenet newsgroup in December of 1985.

                                                                                The current maintainer is also an OpenBSD contributor, but he started maintaining sudo in the early 90s, before OpenBSD forked from NetBSD. I don’t know when he started contributing to OpenBSD.

                                                                                So I don’t think it’s fair to say that sudo originated in OpenBSD :)

                                                                                1. 1

                                                                                  Ah, looks like I was incorrect. I misinterpreted OpenBSD’s innovations page. Thanks for the clarification!

                                                                            1. 1

                                                                              Disclosure seems a bit rushed to me, given the high impact (and availability of sudo) of this thing. the authors also offer three different way of exploitation, and number 1 and number 3 are quite easy to implement without too much reverse engineering challenge.

                                                                              1. 3

                                                                                As a friend pointed out to me, once sudo is patched, anyone can look at the diff and guess that there was a vulnerability patched, so once the patches are out there’s not much lost by full disclosure and you get a gain in awareness of the already-present threat.

                                                                                1. 2

                                                                                  There is no published POC for the exploit yet. The disclosure timeline is completely fine as the distro-list prefer short embargo periods. That means most distros knew about it at the time of disclosure and could prepare patched packages. This exploit isn’t really special.

                                                                                1. 3

                                                                                  If you prefer to read Lobsters on a dark background instead of a light one, there are a few options. You could install the Dark Reader extension; or an extension to add your own CSS to sites like Stylus or UserCSS (never Stylish). Themes: 1 2 3 4. Discussion: 1 2 3 4

                                                                                  This is taken from the last section, Trivia of the about page.

                                                                                  1. 4

                                                                                    What happened to don’t use e-mail for stuff you don’t want to get leaked in the future?

                                                                                    Very few comments about the advantages of having DKIM as a non-repudiation mechanism, such as if I need to prove I received an email at the specific date and/or time:

                                                                                    • My ISP sent me an email letting me know my Internet service will be upgraded for free to a higher tier, and then fails to do this (has actually happened)
                                                                                    • My landlord agreeing to lowering my rent for the remainder of the year, and then not admitting he ever said this
                                                                                    • A lot of other reasons why I prefer having DKIM’s side effects

                                                                                    I can’t imagine myself convincing/forcing my ISP to start using OTHER methods such as GPG, S/MIME and whatever else. Or my VPS provider, or my landlord. While I do feel for the politicians/journalists/whistleblowers and other persons suffering from the side effect of DKIM, I assume the rest of the population would mostly benefit from having messages authenticated.

                                                                                    1. 9

                                                                                      I’ve noticed the same issue with Electron apps on my low RAM devices. Anything with 4GB or less of RAM doesn’t allow you to run more than 2 instances of the programs, without chugging into swap space or worse, oom-killing.

                                                                                      Particularly worrying is most of my messaging apps are exactly like that: Riot/Element, FB Messenger, WhatsApp, Telegram (this last one is actually pretty optimized and doesn’t eat too much). Long gone are the days where an XMPP bridge would solve the issue, as most of the content is now images, audio messages, animated GIFs, emojis and other rich content.

                                                                                      Thanks for the article, at least I know that i can replace one of the culprits with a daemonized, non-Electron app and just use the phone as a remote control.

                                                                                      1. 9

                                                                                        As far as I am aware, Telegram is not Electron, it is actually a Qt based app.

                                                                                        1. 7

                                                                                          Long gone are the days where an XMPP bridge would solve the issue, as most of the content is now images, audio messages, animated GIFs, emojis and other rich content.

                                                                                          I’m not sure what you mean. Most XMPP clients today (like Conversations, Dino, etc.) gracefully handle all of the items you mentioned, and with much less resources than a full web browser would require. I definitely recommend XMPP bridges when possible where the only alternative is an “app” that is really a full web browser.

                                                                                          1. 4

                                                                                            Of those listed, I think Riot will maybe disappear at some point. Riot has (amazingly) managed to have native desktop clients pop up, Quarternion, gomatrix and nheko are all packaged for my Linux distribution.

                                                                                            1. 3

                                                                                              I understand the desire to use something browser-ish and cross-platform. I don’t fully understand why Electron (hundreds of mb footprint) is so popular over Sciter (5mb footprint).

                                                                                              1. 1

                                                                                                Electron is fully free, Sciter is closed-source with a Kickstarter campaign in progress to open-source it.

                                                                                                For the large companies, the price of something like Sciter should be a non-issue. If I were reviewing a proposal to use it, though, I’d be asking about security review and liability: HTML/CSS/JS have proven to be hard to get secure, Electron leverages the sugar-daddy of Google maintaining Chrome with security fixes, what is the situation with Sciter like?

                                                                                                Ideally, the internal review would go “okay, but if we only connect to our servers, and we make sure we’re not messing up TLS/HTTPS, then the only attack model is around user-data from other users being rendered in these contexts, and we have to have corner-case testing there no matter which engine we use, to make sure there are no leaks, so this is all manageable”. But I can see that “manageable” might not be enough to overcome the initial knee-jerk reactions.

                                                                                              2. 2

                                                                                                Long gone are the days where an XMPP bridge would solve the issue

                                                                                                I use Dino on desktop to replace the bloated Discord & WhatsApp clients, and it works fine (with inline images, file sharing, etc working too).

                                                                                                Disclaimer: I did, however, write the WhatsApp bridge :p

                                                                                                1. 1

                                                                                                  Isn’t the reason that XMPP isn’t useful more to do with these services wanting to maintain walled gardens? And further, isn’t that a result of the incentives in a world of “free” services?

                                                                                                1. 1

                                                                                                  I’ve read so many k8s articles in the past years that I feel like I almost have intimate knowledge of this piece of software, even though I have not used it productively before. It’s obviously pretty strong at allowing applications to scale up whenever in high demand.

                                                                                                  Kubernetes will automatically manage your resources for you. If configured correctly, it can survive even if a “node”, or a server in the cluster, becomes unaccessible, with no input required from the user. Kubernetes through some service providers can scale up workloads to massive amounts temporarily, which can be incredibly useful if your service becomes very popular and you suddenly gain a lot of traffic. Running a Kubernetes system means you can reduce your downtime to an insanely small level, and increase your computational capacity to an insanely large level. While this may not seem useful up front, you may consider it essential down the line.

                                                                                                  Are there persons here who have designed and deployed applications on k8s for non-enterprise use, and have actually gotten to make use of the most important features of k8s: prevented downtime and scaling up (due to high increases in traffic/capacity)? I’m talking here about blogs, web services, apps, mobile apps, mostly deployed and maintained by a single developer.

                                                                                                  1. 4

                                                                                                    I have been working on Kubernetes for my company for about two years. It’s had a lot of benefits for our use cases, but I would never use it for a one-developer project. It’s simply not worth it – the things it solves for you aren’t going to be problems you have. I’d even say things like downtime and scaling up aren’t as big a deal at that level of functionality; I’d think that it’s often better for a blog to fall over than to scale at the level that some of the apps I work on scale, simply due to cost. (Are you okay with paying $900 for one day’s traffic spike?) Some of the things that it does don’t even make sense if you’re not working in a particular type of environment.

                                                                                                    1. 3

                                                                                                      As a sole developer, you have near-zero communications overhead; you can just remember / write down the state of play, and everyone who has to maintain it will automatically know. You never (eg) accidentally try to run two deploys at the same time, even if you don’t implement a mutex around your deploy process. Implementing k8s can consume all of your team-of-ones output for weeks.

                                                                                                      Adding kubernetes (or similar kinds of complex system) can be fantastic for big teams. Having a single source of truth RE the status of the app is a tremendous advantage. It only takes a small fraction of the teams output to implement. The cost/benefit is totally different.

                                                                                                    1. 4

                                                                                                      How are things like this not already a problem for other lithium-battery-powered devices like, say, the Pinebook Pro?

                                                                                                      1. 3

                                                                                                        Seems the Pinephone is based on the Allwinner A64 SoC and the Pinebook Pro is based on the RK3399 SoC. I’m assuming both have different power management chips, drivers or whatnot.

                                                                                                      1. 10

                                                                                                        I submitted this because this is the second time in the week I’ve seen other posts recommending moving the sshd listening port to an unprivileged port and I think this is always a terrible idea.

                                                                                                        1. 43

                                                                                                          Now, back to SSH: when we start SSH on port 22, we know for a fact that this is done by root or a root-process since no other user could possibly open that port. But what happens when we move SSH to port 2222? This port can be opened without a privileged account, which means I can write a simple script that listens to port 2222 and mimics SSH in order to capture your passwords. And this can easily be done with simple tools commonly available on every linux system/server. So running SSH on a non-privileged port makes it potentially LESS secure, not MORE. You have no way of knowing if you are talking to the real SSH server or not. This reason, and this reason alone makes it that you should NEVER EVER use a non-privileged port for running your SSH server.

                                                                                                          The author is suggesting trusting port 22 because it is a “root” process.There is a “way of knowing if you are talking to the real SSH server or not”, and it’s actually one of SSHs features since its first release. I would trust any port, no matter the “privilege level” required to listen on that port, for a single reason: I trust the SSH server based on its fingerprint, not on its listening port; and I know that my server’s key data is only readable by root, it has been like this in almost all SSH default installations for the last 20 years.

                                                                                                          Now, let’s pretend you STILL want to move the port away because you get so many attacks on your SSH port. First of all: are you able to logon as root? If so, fix that now. Secondly: are you using passwords? If so, fix that now and change into public key authentication.

                                                                                                          I want to move the port away because of the insane amount of traffic that I have to pay for (if I rent a server, VPS, or anything similar which bills me on network egress/ingress). Disabling password access (for any user) will not make dumb port scans and SSH fingerprinters stop looking at my SSH banner and then decide, based on this information, to just try out username/password combinations, even when my server rejects this authentication method.

                                                                                                          The rest of the arguments are personal opinion.

                                                                                                          1. 8

                                                                                                            Besides, by this reasoning creating a connection to the many many services that run on port >1024 is a bad idea too. Connect to MySQL on 3306? Oh noes! Have your app run on localhost:8080 and a proxy on *:80? Oh noes!

                                                                                                            1. 3

                                                                                                              Please move your MySQL port to 306 and launch MySQL as root.

                                                                                                              1. 1

                                                                                                                call me crazy but I don’t think “you risk an attacker accessing your database” and “you risk an attacker having a shell to do whatever they want” are really equivalent.

                                                                                                                1. 1

                                                                                                                  Well, the DB in most cases have much more value to the attacker than your machine, so I would say, that from the pragmatic viewpoint, DB is more likely to be targeted.

                                                                                                              2. 8

                                                                                                                the insane amount of traffic that I have to pay for

                                                                                                                how much money per month do you estimate you were paying for to handle traffic from people attempting to ssh into a given node?

                                                                                                                1. 3

                                                                                                                  About 2 euro cents a month, per host.

                                                                                                                  1. 1

                                                                                                                    the question is: how many resources of concurrent connections does this take, which are completely unnecessary and are filling your logs

                                                                                                                    1. 3

                                                                                                                      Clearly not enough to make log tuning worthwhile.

                                                                                                                      A lot of these blanket statements ignore the fact that action or inaction is perfectly reasonable dependent on threat model. But of course, most people making blanket statements aren’t applying a threat model when doing so.

                                                                                                                  2. 6

                                                                                                                    This was basically what I was going to say.

                                                                                                                    If a server can somehow knock down sshd, listen on the same unrestricted port, they still would have to present the appropriate hostkeys.

                                                                                                                    Even then, LSM’s like SELinux, etc can put restrictions on who can name_bind on any port you want. only caveat is that you have to write the policy for it. I am strongly against the >1024 privileged ports restriction in the era of LSMs.

                                                                                                                    1. 1

                                                                                                                      I am strongly against the >1024 privileged ports restriction in the era of LSMs.

                                                                                                                      Can you expand?

                                                                                                                      1. 1

                                                                                                                        With LSM you can disable opening any port by all applications and then allow opening ports per application. So on server it allows for much greater security, as you can directly list which application will be able to open connections (and even make it so no port requires super user, as application/user combo will be handled by LSM).

                                                                                                                        1. 1

                                                                                                                          This is an argument for LSM-based port binding policies, not against the <1024 requires root policy. Unless the two are mutually exclusive?

                                                                                                                          1. 1

                                                                                                                            Not exclusive, but even with LSM allowing the usage of port <1024 you still need to run given program as root. So all you gain is more complexity instead of simplification

                                                                                                                    2. 2

                                                                                                                      I trust the SSH server based on its fingerprint

                                                                                                                      I very rarely know the fingerprint of a server before connecting to it.

                                                                                                                      For my most commonly used hosts, I can look it up with a little bit of work (sourcehut, github, gitlab) but of those, only github made it easy to find and verify. For a lot of hosts in a corporate cloud though, the instances are torn down and replaced so often that host-based keys are essentially meaningless.

                                                                                                                      1. 7

                                                                                                                        If you’re not verifying host keys, you’re basically trusting the network - but you don’t, otherwise you could use telnet instead of ssh.

                                                                                                                        Maybe look into SSH host key signing, so you just need one public signing key to verify that the host has been provisioned by a trusted entity.

                                                                                                                        1. 3

                                                                                                                          It is also possible to use ssh with kerberos. Then you know that the server is the correct one. Even without ssh-fingerprints.

                                                                                                                        2. 5

                                                                                                                          You should really start checking the fingerprints. Ignoring that crucial step is how you get hacked. There are way more attack vectors than you can think of. An attacker could get in, for example through your jobs documentation intranet and modify an ip on a document. Or for example, if a DNS server of yours is compromised. If you use password authentication in these situations, you are essentially let the attacker in all servers you have access to.

                                                                                                                          Other comments already pointed out viable solutions. You should adopt one of them or simply start checking the fingerprints. What you are doing is dangerous.

                                                                                                                          1. 6

                                                                                                                            The “implied trust on first use”-model works well enough for many – though perhaps not all – purposes. It’s the “host fingerprint changed”-warning that provides almost all of the security.

                                                                                                                            1. 2

                                                                                                                              Most of the security no doubt. Almost all… That is debatable. If something happens once every 1000 would you not care to protect against it because you already provided 99.9% of the security?

                                                                                                                              What security is in essence, is accounting for the unlikely yet exploitable cases. You look at that attack vectors as a corner case until it is not a corner case anymore. This is how security threats evolve.

                                                                                                                              1. 1

                                                                                                                                The thing is, what is the attack vector here, and how do you really protect from it? In your previous post you mentioned modifying the internal documentation to change the IP; but where do you get the host key? From the same internal documentation? Won’t the attacker be able to change that, too?

                                                                                                                                You can use SSHFP records; but of course an attacker can potentially get access to the DNS too, as you mentioned.

                                                                                                                                The thing is that good distribution of these fingerprints is not a trivial problem if you’re really worried about these kind of attacks. Are they unfeasible? Certainly not, and if you’re working for a bank, CA registrar, or anything else that has high security requirements you should probably think about all of this. But most of us don’t, and the difficulty of pulling all of this off effectively is so high that most of us don’t really need to worry about it.

                                                                                                                                We don’t lock our houses with vault doors; a regular door with a regular lock is a “good enough” trade-off for most cases. If you’re rich you may want to have something stronger, and if you’re a bank you want the best. But that’s not most of us.

                                                                                                                                1. 1

                                                                                                                                  The attack vector is making you believe you are initially trusting the host you think you know, but it is in fact another host.

                                                                                                                                  But you are right, it you misguide a user into connecting to another host, you could also show him another fingerprint and trick them into believing itnid legit too. Fingerprints are just a huge number usually displayed as an unintelligible string of chars. It’s not like the user recognise them by heart.

                                                                                                                                  I do check them if I change computer, or if l connect to a knowm machine I ask a coleage to verify it. But I’ll agree that it.s a trade off and that maybe it.s ok for most people to just trust.

                                                                                                                      2. 3

                                                                                                                        I think this post and discussion around it is a waste of time. Right now, wasting my time. But I wanted to come here and proclaim in spectrum of terrible ideas, it doesn’t even register. Do you have scale that starts at terrible and then just goes to some k multiple of terrible?

                                                                                                                        I moved my ssh port in like 2002 (the year) , and you know what, I no longer had to see 150+ log messages a day about failed logins, it went to zero. Like 1-1. Mission Accomplished.

                                                                                                                        Please enumerate all the other terrible ideas I shouldn’t follow, might be a good list.

                                                                                                                        edit, btw, I am just poking good terrible fun at you.

                                                                                                                      1. 5

                                                                                                                        There were a few mentions of the laptop being rebranded, and I was curious about alternative vendors/retailers for Tongfang laptops in other regions (EU/US mostly). Apparently, I did not have to search for long, someone already did this about a month back: https://www.reddit.com/r/AMDLaptops/comments/hzlcjo/all_of_the_vendors_that_are_offering_the_tongfang/

                                                                                                                        1. 5

                                                                                                                          This was an incredible read, even for amateurs in ASM! Thanks!

                                                                                                                          You mentioned that at a point, many bots just bombed 0x000, which killed yours. How did they figure out that is a common place to place yourself at?

                                                                                                                          After each round, are the “bots” revealed to all participants, so that they can inspect eachothers bot, or is it “blind”, and you just have to anticipate your oponents methods?

                                                                                                                          Apologies for the generic language, assembly is not one of my strong points.

                                                                                                                          1. 1

                                                                                                                            This was an incredible read, even for amateurs in ASM! Thanks!

                                                                                                                            Thank you!

                                                                                                                            You mentioned that at a point, many bots just bombed 0x000, which killed yours. How did they figure out that is a common place to place yourself at? After each round, are the “bots” revealed to all participants, so that they can inspect eachothers bot, or is it “blind”, and you just have to anticipate your oponents methods?

                                                                                                                            Right, I should’ve included a gif of the gameplay; perhaps, watch a bit of the stream. So, each bot’s actions are fully visualized as colored boxes in a 32 × 32 grid, and the first 3 days of the event are just “practice” rounds—essentially to understand what others are doing and work around it to some degree for the finals (day 4). You improve your submission after each day of play. Anyway, to answer your question, yeah 0x000 is a fairly common position to place your bot at. And no, the bots aren’t “revealed”, technically. It’s on you to reverse engineer other bots by watching their gameplay.

                                                                                                                          1. 30

                                                                                                                            Can someone please help me understand how the announcement of a Linux subsystem for Windows becoming generally available is spam?

                                                                                                                            Prior to this you needed to be running a Windows Insider build in order to run it. I’ve seen a thousand thousand distro announcement posted here without getting this kind of treatment.

                                                                                                                            What am I not understanding about the rules and guidelines for this community? Or are people just as downright nasty with the flagging as they seem to be to me?

                                                                                                                            1. 11

                                                                                                                              Could be that FOSS purists flagged it since WSL enables people to run Linux on a proprietary OS. (Which, if true, is a very silly reason IMO.)

                                                                                                                              I think WSL is great. It was a godsend on my previous job which was mostly a Windows kinda place. Before that I used Cygwin, but WSL is much much more convenient.

                                                                                                                              1. 8

                                                                                                                                I am a WSL user on some of my Windows systems, and I greatly appreciate it. That being said, a few points regarding “spam”:

                                                                                                                                • The linked website is Canonical; Canonical has had some controversy regarding contribution to FOSS (back in the day, the company was monetizing a FOSS-derived OS - from Debian, without giving back to the FOSS community). I can only assume that some of the readers saw the intention of Canonical here as to monetize piggybacking on the Microsoft’s WSL2 availability.
                                                                                                                                • There are multiple text-based advertising paragraphs in the blog post, which mention the enterprise/corporate offering of Canonical and WSL (paragraph 4, and the first paragraph, and the title of the last section)
                                                                                                                                • The article (May 2020) mentions availability of an O/S in the WSL store. A tutorial (which is mostly generic, applies to almost any WSL2 migration/distro) is also present on the blog post. Ubuntu fails to mention what exactly is the WSL2 OS good for, how does it compare to other distros (or to the main release), what does it bring new (except enterprise support).

                                                                                                                                Now, some of the above may have not triggered some members of the community. I’m human, so I’m mostly biased, and while I haven’t flagged or hidden this particular story, I can imagine myself having a bad day and flagging an article from a company monetizing FOSS without contributing back as spam (see Google, Amazon).

                                                                                                                                1. 13

                                                                                                                                  I can imagine myself having a bad day and flagging an article from a company monetizing FOSS without contributing back as spam (see Google, Amazon).

                                                                                                                                  That would be working against the site guidelines. Lobste.rs has always been a place for technical discussion, how that tech is monetized or if its proprietary, GPL or BSD licensed and how the company/individuals contribute back / if at all should have no impact if a story is on topic or not.

                                                                                                                                  Judge the content, not the person/entity behind it.

                                                                                                                                  1. 2

                                                                                                                                    Now, some of the above may have not triggered some members of the community. I’m human, so I’m mostly biased, and while I haven’t flagged or hidden this particular story, I can imagine myself having a bad day and flagging an article from a company monetizing FOSS without contributing back as spam (see Google, Amazon).

                                                                                                                                    Right, and you yourself seem to agree that doing so is a mis-use of the flag mechanism.

                                                                                                                                    The appropriate response would be either a constructive comment or maybe even if you cared to / had time a private message around how the article lacks technical merit and probably doesn’t belong here, accompanied by a simple non upvote.

                                                                                                                                    Or maybe we need a new flag “lacks technical merit” :)

                                                                                                                                  2. 7

                                                                                                                                    What am I not understanding about the rules and guidelines for this community? Or are people just as downright nasty with the flagging as they seem to be to me?

                                                                                                                                    It’s definitely not just you. I’ve noticed frequent “flagging as spam” of late as well - just monitor Recent for a while and you’ll spot it immediately. The articles that are being flagged would certainly not have been flagged a year or two ago. Perhaps this warrants a wider discussion…

                                                                                                                                    1. 5

                                                                                                                                      Me too. I had a definitely-not-spam submission flagged the other day as well. I asked the mods to delete it; I don’t submit spam but hell if I wanted to offend anybody. As it turned out, others upvoted so it worked out okay.

                                                                                                                                      But it left a bad taste in my mouth. I know we’re all supposed to assume positive intent, but as long as we’re not identifying anybody individually, I have a weird feeling that there’s something deliberately negative going on here. I don’t know what, but it doesn’t feel right. Content can be poor quality, bad advice, poorly-written, dated, or off-topic without it being anywhere near spam. In that case just don’t upvote it, or make a comment explaining what you think may be technically bad about the piece. (You know, you might be mistaken! I am mistaken quite a lot) I am concerned something’s not working as it should.

                                                                                                                                      1. 2

                                                                                                                                        It’s definitely not just you. I’ve noticed frequent “flagging as spam” of late as well - just monitor Recent for a while and you’ll spot it immediately. The articles that are being flagged would certainly not have been flagged a year or two ago. Perhaps this warrants a wider discussion…

                                                                                                                                        I definitely think this warrants a wider discussion as well. Take a look at @gerikson’s comment above. There’s no bad intent there, but he’s using the SPAM flag as “I feel this article is lacking in technical merit”. He chose to un-flag as did the other person after I called the flagging choice into question, but I think we need to do some work as a community to come to a common understanding of what the flags are FOR and how we want to use them to make the community better.

                                                                                                                                        1. 2

                                                                                                                                          Yes, agreed. Taking a look at a recent story, How To Make Ubuntu Work Like Windows 10, it currently has a score of 5, made up of “+12, -2 off-topic, -5 spam”. Quite a mix, suggesting that there are some differing views about what posts are appropriate.

                                                                                                                                          1. 3

                                                                                                                                            I also notice that the flag explanations link in the About page seems broken. I’m going to message the mods about that, might help people to understand the goals of the mechanism better.

                                                                                                                                            1. 2

                                                                                                                                              For what it’s worth I went and hunted down the explanation of what flags are for. “Spam” says “promotes a commercial service”. The explanation is in the middle of the “Ranking” section: https://lobste.rs/about

                                                                                                                                              1. 1

                                                                                                                                                I think the problem is that some people use “spam” as a catchall when flagged posts they think are inappropriate. I know that some people leave a comment when they do so, at least explaining their thinking, but they’re in the minority.

                                                                                                                                        2. 7

                                                                                                                                          I found it borderline, flagged it but I have since unflagged it.

                                                                                                                                          What I’d like to see: a post that describes the differences between WSL1 and WSL2 and how it pertains to Ubuntu; why WSL2 is worth the update; what changes Ubuntu made to accomodate WSL2, etc.

                                                                                                                                          Also what I’d like to see, what distribution (if any) is best for WSL ?

                                                                                                                                          For Ubuntu, the more mindshare they have among WSL users, the better. So this entry can be seen as marketing.

                                                                                                                                          Final edit I removed a bunch of mildly self-pitying and sarcastic remarks around this comment being flagged, but it looks now I was mistaken. I stand by my words above.

                                                                                                                                          1. 2

                                                                                                                                            For Ubuntu, the more mindshare they have among WSL users, the better. So this entry can be seen as marketing.

                                                                                                                                            Final edit I removed a bunch of mildly self-pitying and sarcastic remarks around this comment being flagged, but it looks now I was mistaken. I stand by my words above.

                                                                                                                                            If you look at the description for the Spam flag it says: Promotes a commercial service.

                                                                                                                                            WSL is in fact a closed source proprietary commercial product sold by Microsoft. It’s certainly not a ‘service’ and I personally feel that while this article probably lacks technical merit, it’s probably not Spam under the current definition of the flag either.

                                                                                                                                            I actually thought long and hard before posting this, and what ultimately swayed me was the fact that WSL now being available to main line Windows 10 users not part of the Windows Insider program seemed like technical information that could be useful and interesting to the community here.

                                                                                                                                            So I guess the question for this community is - what do we want to be? If release announcements aren’t of interest because they lack the kind of deep technical content we want to see, then perhaps we should consider being clear about that.

                                                                                                                                            Anyway, lots of good discussion here. Thanks for taking part in it, and again thanks for explaining your motivations.

                                                                                                                                            1. 1

                                                                                                                                              a post that describes the differences between WSL1 and WSL2 and how it pertains to Ubuntu; why WSL2 is worth the update

                                                                                                                                              As I understood it, the main difference is that WSL1 was an emulation layer that translated system calls into the corresponding Windows API calls, whereas WSL2 is a (lightweight) VM running an actual Linux kernel.

                                                                                                                                              See: https://docs.microsoft.com/en-us/windows/wsl/compare-versions

                                                                                                                                              1. 1

                                                                                                                                                I actually installed WSL1 yesterday, and was mildly disappointed my computer is not yet updated to be able to handle WSL2.

                                                                                                                                                What I meant was I’d like Canonical to expand more on how they’ve worked (or not had to!) to work with WSL2.

                                                                                                                                                Edit apparently WSL2 is faster, which I appreciate. I’ve been using Cygwin before and reading and processing 10k files there was very fast, in WSL1 it’s painfully slow.

                                                                                                                                                1. 3

                                                                                                                                                  Yes WSL1’s lackluster performance is well documented. It’s why the put so many engineering hours into creating WSL 2, and the results are impressive.

                                                                                                                                                  Sorry your computer isn’t up to the 2004 version required - I know not everyone is just running Windows at home for themselves and may be locked down by IT or other constraints, but for those who do control their own systems the 2004 update is fully released and anyone can go grab it, it just hasn’t been queued for automatic deployment yet.

                                                                                                                                                  Also I wanted to thank you for your cards up post around why you flagged and un-flagged the article as Spam. I think there’s a disconnect in this community around how flags are used. It seems to me that the mods created flags as a means of allowing the community to police and bar raise itself, but people are instead using them as you did as a way to say “This article lacks technical merit” or in some cases even “I disagree” which to me is an even more egregious abuse of the mechanism.

                                                                                                                                                  1. 1

                                                                                                                                                    I’ll have to check whether I can update to 2004… we’ve gotten new practices re: computer management from the mothership.

                                                                                                                                                    I’ve actually been quite happy with Cygwin for my purposes but figured the WSL is The Future(tm) now.

                                                                                                                                                    1. 1

                                                                                                                                                      Interesting that you find Cygwin’s performance better than WSL1. I’ve used Cygwin off-an-on for many years but tend to prefer a Linux VM (via Vagrant) when forced to use Windows. In my limited usage I’ve found WSL1 to be a better experience than Cygwin, at least for shell interactive usage - I’ve not done any heavy processing with it.

                                                                                                                                                      1. 1

                                                                                                                                                        Glad to hear Cygwin meets your needs. It’s certainly battle tested!

                                                                                                                                                        One of the things that others have cited in this thread that WSL brings to the table is official support from external tools like IDEs.

                                                                                                                                                        I can write and debug my code in VSCode or Pycharm, and then deploy and debug in WSL because both tools explicitly have first class support for it.

                                                                                                                                                        This is a pretty compelling feature for some of us.

                                                                                                                                                    2. 2

                                                                                                                                                      I actually installed WSL1 yesterday, and was mildly disappointed my computer is not yet updated to be able to handle WSL2.

                                                                                                                                                      Dunno if you saw this most recent announcement. They backported it even further. Hope this helps!

                                                                                                                                                      1. 2

                                                                                                                                                        Thanks, I did see that! Unfortunately corporate policy still has me stuck on a version that’s too old…

                                                                                                                                                2. 2

                                                                                                                                                  It’s a little sad to see this. Perhaps this kind of behaviour could be looked at and addressed? Il not sure what to call it, but it feels distasteful to me.

                                                                                                                                                  1. 2

                                                                                                                                                    I think it’s a simple matter of the community not having a good shared understanding of what the flag feature should be used for.

                                                                                                                                                    My impression is that the moderators meant for it to be a relatively serious step that could be used to censure posts that are VERY far afield from the intent of the community, but instead people are using it for making statements like “I disagree”, “This lacks technical merit” or “This represents a commercial interest engaging in marketing” which I’d personally assert is part and parcel of “lacks technical merit”.

                                                                                                                                                    I don’t know how we get the word out about this though without being too heavy handed.

                                                                                                                                                    1. 2

                                                                                                                                                      I see some comments with explanations already, which is great, as knowing why is going to be key in finding a better way to solicit the feedback that this is aiming for.

                                                                                                                                                1. 3

                                                                                                                                                  Hey, author of the post here! Really happy to see it on Lobsters, and I’d be happy to answer any questions and/or comments you have!

                                                                                                                                                  I encountered this “bug” while working on rewriting my iOS app with the new App and Scene structures introduced during WWDC2020. The project is nearing completion, and I’m really excited about how its turning out.

                                                                                                                                                  Enjoy!

                                                                                                                                                  1. 12

                                                                                                                                                    Unfortunately not related to the content, but for me the font choice made the post too difficult to read.

                                                                                                                                                    1. 3

                                                                                                                                                      Understandable. I was attempting to make it “retro,” though I’m going to change the font when I rewrite the site (soon) to make it clearer and load faster.

                                                                                                                                                      1. 2

                                                                                                                                                        I agree with you. Try using Reader View if your browser supports it. It’s much better.

                                                                                                                                                        1. 2

                                                                                                                                                          Pictures/videos also don’t work in Safari 14.

                                                                                                                                                          1. 1

                                                                                                                                                            Yeah, they’re in .webm which for some reason is not supported by Safari despite massive size reductions from mp4. Going to need to add mp4s.

                                                                                                                                                        2. 3

                                                                                                                                                          Nice post! Happens to all of us :-)

                                                                                                                                                          That’s what you get for populating static items in a list. I’m a little confused about the sorting (or whether it works as needed):

                                                                                                                                                          • Completed tasks are at the bottom. Ongoing tasks are at the top.
                                                                                                                                                          • Higher priority items are at the top of their category (completed/ongoing).
                                                                                                                                                          • After above two points, ordering is done ascending, by task name.

                                                                                                                                                          The above statements sound nice, but:

                                                                                                                                                          • the UI fails to show important (high prio) tasks
                                                                                                                                                          • sorting by name is not visible, as the point above. Looking at the videos your provided, it appears sorting is random (although it may not be)

                                                                                                                                                          I’m not an Apple user, but I would enjoy having a task list with the following features:

                                                                                                                                                          • Priority items clearly marked (color/“hotness” or font weight)
                                                                                                                                                          • Completed tasks with a “greyed out”/“disabled” state (the strikethrough helps)
                                                                                                                                                          • Sorting based on the timestamp when the item was created/modified/completed
                                                                                                                                                          1. 1

                                                                                                                                                            Thank you for the great suggestions!

                                                                                                                                                            Some clarifications about sorting:

                                                                                                                                                            • The exclamation marks on the trailing side are supposed to be the main indicator of priority, which I understand might be too small of an indicator.
                                                                                                                                                            • The “ascending task name sort” is just a fancy way of saying alphabetical order. Because it’s the third priority it may seem a little random, but what it does is sort all tasks of the same priority and the same category (completed/ongoing) in alphabetical order.

                                                                                                                                                            Feature suggestions:

                                                                                                                                                            • I love the idea of color/weight indicators for priority! Definitely going to implement that going forward.
                                                                                                                                                            • Completed tasks are grayed out in addition to the strikethrough in the main app, I’ve just yet to implement it in the rewrite.
                                                                                                                                                            • The timestamp sort would be an important thing, but a big feature of the app is that tasks get deleted at midnight every day so that would be a really short-term thing. I will consider adding it as an additional sort method, though.
                                                                                                                                                        1. 2

                                                                                                                                                          So, the two situations where this vulnerability applies (requires SecureBoot to be enabled):

                                                                                                                                                          • Inside an already booted system where user-space has write access to the EFI partition, or, in general to the grub.cfg file
                                                                                                                                                          • In an offline attack where someone pulls out the disk, changes the grub.cfg file to exploit this (and inserts an implant which, for example, reads the passphrase for any encrypted root partitions, while you type it) I believe this is an evil maid scenario.

                                                                                                                                                          The outcome is always the same. The attacker gains arbitrary code execution, while bypassing SecureBoot. The most common result: privileged access to the booted system, after the first reboot.

                                                                                                                                                          1. 2

                                                                                                                                                            Excellent technical write-up, and incredible architectural flaw.

                                                                                                                                                            I’m assuming sacrificing some security for performance is sometimes OK, as long you don’t have to sacrifice all of it. The flaw makes me think that any compromised “Windows Server Container” leads to the ultimate compromise of the container host.

                                                                                                                                                            Some questions that may have been left unanswered, from my view:

                                                                                                                                                            • Is MS addressing this in any way?
                                                                                                                                                            • Most devices are using symbolic links to be mapped at the global level. While the WinObj screenshot of the container/silo shows virtual networking interfaces, would it be possible to exploit this outside of the filesystem space, and also on the other devices (Ethernet, USB HID, cameras, COM ports, smartcards)?
                                                                                                                                                            1. 14

                                                                                                                                                              If you want to run your own version, I can highly recommend the independent rust server implementation here: https://github.com/dani-garcia/bitwarden_rs

                                                                                                                                                              Very easy to set up and compatible with the browser extensions, android app etc.

                                                                                                                                                              I have been using this for month running it on a raspberry pi behind a VPN at home (with encrypted offsite backup). Works like a charm

                                                                                                                                                              1. 6

                                                                                                                                                                Or, you can use @jcs’s rubywarden.

                                                                                                                                                                1. 1

                                                                                                                                                                  I am trying out bitwarden_rs now and do feel the same usability as the mainstream software. do you have any feedback about rubywarden regarding existing features, usability compared to the main software, and mostly, maintenance tips? thanks!

                                                                                                                                                                2. 4

                                                                                                                                                                  I run this in a docker container alongside watchtower to keep it up to date. Runs like a champ, I hardly ever have to touch it.

                                                                                                                                                                  1. 3

                                                                                                                                                                    same here. I am not a fan of docker in general, but trying to compile this myself on a raspi tipped me over the edge towards using docker for this.

                                                                                                                                                                1. 5

                                                                                                                                                                  My experience with Riot and Matrix has been so far amazing. The adding of cross-signing is a bliss, and a long awaited feature. The cross signing in Android is yet missing on the stable (real) app.

                                                                                                                                                                  Unfortunately, what the article fails to mention is that “RiotX Android” is the unfinished complete rewrite of the Riot Android application (stable), which makes signing unusable for those of us who use the stable app as a daily driver. My personal vendetta with RiotX started a while back, and its memory consumption is about 40% higher than that of its predecessor (I just installed and checked). Battery usage used to be significantly higher, although this might have change since I last checked. The main showstopper for me is: video/audio calls (1:1) are not implemented in this new rewrite.

                                                                                                                                                                  Although I tend to complain alot, I do find Riot/Matrix an amazing piece of software engineering. The cross-signing feature improves usability tenfold and makes secure communication easier for non-IT people too. I just wish I could benefit from it on all my devices.

                                                                                                                                                                  1. 2