1. 21

    I would have fallen for this.

    This gist is that the personal accounts of some university staff with @~.ac.uk email addresses and access to personal homepages on the university’s domain were compromised. Thus, the emails seemed far more legitimate than they otherwise would have.

    The real problem is that those university homepages were then hosting a Firefox 0-day. That is a separate issue from the email phishing problem, people could have gotten to those pages via a DDG search.

    The whole issue goes to show that browser security is paramount. Should we start considering running our web browsers in containers? Full VMs? Separate user accounts? I really don’t know how far is too far.

    1. 15

      Yeah, it’s pretty hard to adjust your thread-model to include a Firefox 0day :| I suppose you could look into virtualization or containers. But then, the Firefox 0day would still get access to all of your web sessions.

      I think it’s more worthwhile auditing Firefox’s sandbox, so that future 0days will be limited to the content process. But that’s my job anyway, so you all don’t have to (and makes my thinking biased :-))

      1. 3

        Using NoScript with its default default-deny policy would have prevented the attack.

        1. 1

          In Guix, I’ve been running IceCat (a FF derivative) in a container for some time now, but it needs a bit of work:

          https://lists.gnu.org/archive/html/help-guix/2019-06/msg00292.html

          If there are any people at Mozilla who find this problem interesting and would like to offer advice on some of the issues I outlined there, it’d be great if one day a containerized Firefox (or IceCat, in Guix’s case) could be the norm.

        2. 2

          I was also thinking this.

          Would there be any way to add another level of security around, say, Firefox without breaking any of its functionality? I’d love that!

          1. 7

            You might want to have a look at https://www.qubes-os.org/

            (I never tried it, though)

            1. 3

              There was once Chrome with capsicum extensions but it was never accepted by upstream. The idea of Capsicum (iirc) is to add capabilities to FreeBSD to restrict applications from doing things that weren’t expected (thereby “sandboxing” it). You could restrict to which directories it could write and which syscalls it was allowed to do. In practice, I think it was a bit like pledge on OpenBSD.

              1. 7

                You could restrict to which directories it could write and which syscalls it was allowed to do. In practice, I think it was a bit like pledge on

                Chrome is sandboxed (unveil) and pledged on OpenBSD. It can only access files within your ~/Downloads directory.

                1. 1

                  That’s neat. You happen to know if Firefox has something similar on OpenBSD?

                  1. 2

                    Last time I checked it only had W^X support (which Chrome doesn’t) but no pledge/unveil - I haven’t checked in a while though.

                    1. 2

                      pledge sandboxing has been merged into Firefox some time ago https://bugzilla.mozilla.org/show_bug.cgi?id=1457092

                2. 4

                  iirc, pledge is for syscalls, unveil is for directories.

                  1. 2

                    Thanks for the correction. I suppose Capsicum is a bit like a combination of both then.

                    1. 2

                      Capsicum is more general purpose and more flexible, but with this comes complexity in implementing it. OpenBSD’s sandboxing primitives are far more primitive and sweeping, but their hope is because it’s easy to implement once you know what subset you have, it can both be easily implemented and keep narrowing after privileged init operations take place, even if it isn’t 100%.

                      1. 2

                        I wouldn’t describe it as flexible really. It’s very rigid yet elegant. Capsicum is a fundamental change to the way apps work: file descriptors are treated as capabilities — you can’t conjure them out of thin air (i.e. from global namespaces) once in capability mode, you have to derive new ones from existing ones: openat() a file under a directory you already have a descriptor to, accept() on a socket you already have, get one passed in over a unix socket you already have and so on.

                        With LD_PRELOAD hacks, you can use it to sandbox existing, unaware apps too :)

                        BTW, since this is a browser thread: I might look into adding Capsicum support to Firefox “soon”. The content processes are already designed around fd passing, but I think they let GTK and other libs open whatever they want..

                3. 2

                  Would there be any way to add another level of security around, say, Firefox without breaking any of its functionality? I’d love that!

                  Besides what others suggested, you may want to use uMatrix and block 1st and 3rd party JavaScript by default. The whole idea of running untrusted code on your machine is kinda insane, despite how impressive browser sandboxes are nowadays.

                  1. 1

                    Already using uMatrix, uBlock, NanoDefender and Firefox Custom blocking for a while now.

                    It’s just really hard to get anyone else to change their workflow as much as I did.

                  2. 1

                    I haven’t tried it [yet], but there’s https://github.com/netblue30/firejail .

                    Firejail is a SUID sandbox program that reduces the risk of security breaches by restricting the running environment of untrusted applications

                    (No connection to Firefox, though the morpheme “fire” in the name might suggest that.)

                    1. 1

                      Only for Linux, right? Too bad.

                1. 7

                  I for one use permissive licenses in the hope that one day an aerospace company will use my code and it will end up in orbit.

                  1. 10

                    Maybe they already do? With a permissive license you have good chances of never finding out.

                    1. 3

                      And how would the GPL change that?

                      1. 2

                        Because the aerospace company would have to publish their code.

                        1. 11

                          s/publish/provide to customers/

                          1. 6

                            No. It is not required to publish GPL code of the modified version if it remains private (= not distributed).

                            So you have the same chances of never finding out about usage in either case (but the virality of GPL might actually decrease the odds).

                            1. 1

                              I was referring to this aspect of the license:

                              But if you release the modified version to the public in some way, the GPL requires you to make the modified source code available to the program’s users, under the GPL.

                              Whether or not that would come into play with the hypothetical aerospace company in question is beside the point.

                            2. 0

                              Or not.

                          2. 1

                            https://www.gnu.org/licenses/gpl-faq.en.html#GPLRequireSourcePostedPublic

                            I guess what you mean is better chances of finding out?

                          3. 7

                            I found out that my open source code was being used in nuclear missiles. It did not make me feel good.

                            1. 2

                              What license were you using?

                              1. 2

                                GPL

                                1. 2

                                  Interesting that you could have discovered this, would presume such things would be quite secretive. I guess there’s nothing you can do to stop them using it either?

                                  1. 2

                                    It was a shock. And nope, nothing could be done. In fact, I suspect that Stallman would say restricting someone from using software for nuclear weapons (or torture devices or landmines or surviellance systems) would be a violation of the all important issue of software freedom.

                                      1. 1

                                        It would be an interesting argument to try to make. The FSF already recognizes the AGPL – which explicitly does not grant Freedom Zero as defined by the FSF – as a Free Software license, and the general argument for that is one of taking a small bit of freedom to preserve a greater amount over time. A similar argument could be made about weapons (i.e., that disallowing use for weapons purposes preserves the greatest amount of long-term freedom).

                                        1. 1

                                          … Stallman would say … violation of the all important issue of software freedom

                                          Restricting use on ethical basis is quite difficult to implement for practical reasons.

                                          1. 1

                                            That’s not really the issue. One of the things I dislike about FSF/Stallman is that they claim, on moral principal, that denying a software license to , let’s say, Infant Labor Camp and Organ Mart Inc. would be wrong. I think that “software freedom” is pretty low down on the list of moral imperatives.

                                            1. 1

                                              Being able to (legally) restrict the use of my creative output (photographs in my case) is the reason I retain the “all rights reserved” setting on Flickr. I’d hate to see an image of mine promote some odious company or political party, which is what can happen were I to license it using Creative Commons.

                                  2. 2

                                    How did you find out?

                                    1. 2

                                      They asked me to advise them.

                                    2. 2

                                      For ethical reasons or for fear of some possible liabilities somewhere down the line?

                                      1. 11

                                        What a question. I didn’t want to be a mass murderer.

                                  1. 10

                                    I’ve been thinking about this a bit as of late as well, as I’m working on some open source programs that I also want to offer as a service, roughly similar to Drew’s SourceHut.

                                    For this, the GPL probably makes more sense. I don’t want to stop anyone from running their own copy of my software, and I don’t mind of they offer it as a service, but I would mind if someone would take the source code, make a few modifications, and then offer that as a service. It’s taken me some time to warm up to this, because I also don’t like restricting people’s freedom and am not a huge fan of GNU/FSF/RMS, but I’ve slowly warmed to the idea that the GPL is a better fit for this project.

                                    For most of my other projects this is not really an issue. For example I recently did some work on a commandline Unicode database querying tool. It’s pretty useful (for me, anyway), but I don’t think anyone is going to add proprietary extensions to this; there’s simply no reason to. The simpler MIT seems like a better fit for this. Even if someone would use it in a proprietary context, I have nothing to lose by it, so why not allow it?

                                    It seems like a “right tool for the job” kind of thing to me.

                                    1. 24

                                      You’d want the AGPL in your case, then, which is designed for network services like SaaS.

                                      1. 2

                                        This article explicitly states that the AGPL does not address the problem of SaaSS (Service as a Software Substitute), as the FSF/GNU call it:

                                        https://www.gnu.org/licenses/why-affero-gpl.html

                                        I otherwise agree—it is designed for software accessed over a network, and is appropriate for this case; it’s just the “SaaS” part I’m commenting on.

                                        1. 3

                                          I am aware of this stance, but thanks for pointing to it. It is of course true that a SaaS company may process the data in a way that doesn’t provide the freedoms the AGPL attempts to preserve—I just don’t have a better option to suggest. :(

                                      2. 6

                                        Exactly! I posted my licensing philosophy in another thread recently and it’s basically this.

                                        For libraries (which most of my projects are), I do not want a large license, I do not even want any copyright, my sentiment for libraries is very strongly “I’m throwing this crap out there, do whatever the hell you want.” I used to use the WTFPL, but then switched to the more serious Unlicense. But if I were to pick my preferred license for this now, it would be 0BSD :) For end-user apps, I have no problem with copyleft, the one Android app I made a while ago is under the GPL even.

                                        Also to expand on this: if someone uses, like, my http library in a proprietary project, I don’t see it as a corporation exploiting my work, I see it as my work helping another worker do their job.

                                        1. 5

                                          I quite like the Blue Oak Model License for a permissive license and have started using it in my open source projects (where I have sole copyright and can license/relicense as I please). Compared to the 0BSD license, it discusses patents (to protect all contributors from liability in case any other contributor enforces a patent they own now or later) and there’s also no required copyright line and dates to keep up to date. It’s odd to me that the 0BSD license would remove the need to include the copyright attribution to gain the license, while still including the copyright line at all.

                                          1. 1

                                            Last time I saw it, it looks interesting. But I wonder if it is reviewed by other lawyers. Also, does not seem to be OSI/FSF/…-approved yet?

                                            1. 2

                                              It’s not, but not due to some issue with the license. The authors are less-than-endorsing of OSI and haven’t applied for approval: https://writing.kemitchell.com/2019/05/05/Rely-on-OSI.html

                                              1. 1

                                                That’s unfortunate. I work on a package manager and we aren’t lawyers (or have money to pay), so we default to “whatever DFSG/OSI sees as OK, we do too”

                                                1. 4

                                                  The Blue Oak Council specifically set out to create a permissive license list first: https://blueoakcouncil.org/list

                                                  The Model License came about due to a lack of the desired qualities in many of the other licenses available for public usage, but it wasn’t the original goal of the project.

                                                  Maybe consider licenses on that list, or parts of the list?

                                                  I also recommend reading the blog post I linked above, because blindly accepting whatever OSI approves will likely not end up well for whoever is accepting the license or that policy.

                                          2. 1

                                            You really need patent protection in the license to reduce risk of patent trolling. That’s a huge problem. Most permissive licenses pretend patent law doesn’t exist.

                                          3. 3

                                            How does GPL prevent someone from modifying your code and then offering it as a service? The modified code is not being distributed. This is key to the business model of Facebook, Google, Amazon etc and why Reddit changed their license.

                                            1. 3

                                              It doesn’t, and that’s okay. But it does prevent people from using my code with their own proprietary extensions without contributing their changes back (the AGPL does, at least).

                                            2. 4

                                              I have nothing to lose by it, so why not allow it?

                                              What people often miss is that applications and libraries in a GPL ecosystem protect each other from patent trolls, tivoization, and, partially, SaaS/cloudification.

                                              How does the “herd immunity” develops? In the same way companies create large patent portfolios as a legal shield/weapon: if bad actor enters litigation against one project/product/patent it can be sued regarding others.

                                              1. 7

                                                There are plenty of other licenses that discuss and protect against patent trolls. Off the top of my head:

                                                • MPL 2.0
                                                • CDDL
                                                • Apache 2
                                                • Blue Oak Model License
                                                1. 1

                                                  I did not claim GPL is the only one. Also, some of those do not protect against tivoization or have other issues.

                                                  1. 2

                                                    But do you really care about, say, tivoization, if you wanted to use a more permissive or less copyleft license than the GPL? Patent protection is important for all licenses. Tivoization protection is not.

                                              2. 1

                                                There is a deep cultural difference between the Open Source crowd and the Free Software crowd. Open Source crowd says “Right tool for the right job” and the Free Software crowd says “Right tool for the right society”. These are different points of view at a very fundamental level. Open Source people believe in it because they think it makes better software. Free Software people aren’t concerned with making “better quality software”. They think it’s good to make better software, but acknowledge that proprietary might be better in many cases. But that’s not the point of Free Software to them. Free Software people view the GPL as a social hack, not an end in itself.

                                                1. 2

                                                  Free Software people aren’t concerned with making “better quality software”.

                                                  Citation needed.

                                                  1. 1

                                                    To be more specific, Free Software people don’t view “better quality software” as the end goal. Freedom is the end goal.

                                              1. 2

                                                I don’t get this sort of thing at all. For me, j and k motions are used constantly, and I don’t know of any other commands that substitute well. I even set up J and K to be 10j and 10k, respectively, because I often find { and } not that useful. I don’t want a plugin to turn them off, because I’m not sure what they plan to replace them with.

                                                Meanwhile, I very rarely use h and l. I find them super-tedious to move more than a few chars at a time. I don’t see why anyone would use them over w and b. I don’t need a plugin to convince me not to use them - I’m already convinced.

                                                1. 1

                                                  Meanwhile, I very rarely use h and l. I find them super-tedious to move more than a few chars at a time.

                                                  What do you do if you want to change something like FooBarFoo to FooFooFoo or similar middle-of-the-identifier edits where w/e don’t consider the terms distinct? I seen people recommend f<letter>c<motion> but I’ve always thought counting letters to use with the f motion takes more time than leaning on h/l. Similar story for forward/backward search when your target is on the same line.

                                                  1. 1

                                                    ;' repeats the last f/F/t/T motion, and,’ does the same in the opposite direction. If I’m in a situation where counting would be necessary, it’s sometimes faster to spam ;' a few times, and if I accidentally pass it, use,’.

                                                    It’s not elegant, but it works well for those situations where you expect `fB’ to match but it doesn’t.

                                                    e.g. to s/FooBarFoo/FooBarQuux/, `fF;cwQuux’.

                                                    Usually there’s other motions that’ll work in context too, depending on what text surrounds it.

                                                    1. 1

                                                      I would do fBctF for that. I find it easy because I’m already thinking about “I want to change Bar to Foo right up to the next Foo”, so the letters to to f and t to come to mind easily. If I’m h/ling, then I have to either try to count letters, which is distracting, or hold one down, probably overshoot and need to go back, which is also distracting. The whole thing I like about Vim is how, once you commit certain things to instinctive memory, you spend very few mental cycles thinking about how to make an edit you want to make or waiting to switch between mouse and keyboard.

                                                      It’s also cool that Vim is almost a completely different program for everyone who uses it and can fit many different mental models about how to edit text.

                                                      1. 1

                                                        It depends how many characters you want to change. When it is just “Bar”, I’d probably use 3s.

                                                  1. 2

                                                    It’s a subtle way of requesting human machines.

                                                    Maybe for many companies it is, but that’s an unfair generalization.

                                                    (First, to be clear: side projects are far from a make-or-break when I look at candidates. It provides additional information that contributes to the overall picture of the programmer—qualities that might be demonstrated elsewhere.)

                                                    When I look for a passionate programmer, I want someone who is going to contribute that passion to the team. If by “machine” the author means someone who’s going to sit down and mechanically pump out code, then this is the antithesis of the team that I want to be a part of. I want organic candidates that contribute not only code but to the processes, knowledge, and culture of the team. I want someone who will work well with others, but isn’t afraid to speak their mind.

                                                    Don’t be turned off by all requests for side projects or code samples. My advice would be: be yourself. It is painfully obvious when someone forces “side projects”, or simply commits coursework. That is mechanical. If you do not express passion or interest for your career in that way, then demonstrate it in another, even if it’s in writing. Make me interested enough to interview you so that you can really speak to your interests.

                                                    But don’t try to state what isn’t there. I’m often let down when someone states skills on their resume or elsewhere that they don’t actually possess and then can’t answer the most elementary interview questions about them. I’m disappointed when someone provides code samples or “side projects” that look interesting, but turn out to be code copied or slightly modified from elsewhere (someone else’s project, coursework, training sites, etc).

                                                    1. 33

                                                      On HN, Twitter, reddit, and Medium I am told to have side projects to be employable. My thoughts:

                                                      a) I have side projects to learn and have fun, not to impress an interviewer. My side projects are for fun, exploration, experimenting, etc. They may not be finished or polished (or they may be!). The idea that I should give my leisure time outside of work to build stuff for the sake of finding better work is ridiculous to me. Granted, sometimes you can do both at the same time.

                                                      b) In the handful of startups and big companies I’ve been associated with, I’ve been the only person in the team that has an active GitHub profile or other open source contributions. Most of my coworkers don’t code outside of work and are doing just fine; some having worked at “prestigious” companies. People need to understand that this isn’t actually the “norm” in the real world.

                                                      1. 20

                                                        Another ugly detail that’s often glossed over is that most of the people with substantial open source contributions (meaning that they led projects that are now used all over the world and can make money consulting) had the opportunity to work on open-source software on paid time.

                                                        In a typical closed-allocation/authoritarian company, these aren’t the best hires, because they often expect to be able to work on open-source software (it’s how they got where they are) and it can inspire resentment. I’ve seen top-notch people actually get let go because middle managers got sick of explaining to the plebs why they couldn’t work on externally visible projects while someone else could.

                                                        The more progressive companies have recognized that high-IQ people need something more like a research environment and encourage them to speak at conferences and contribute to open source projects and publish papers. However, getting into these companies is very difficult and they’re inaccessible to garden-variety software engineers.

                                                        1. 4

                                                          FWIW, I have recommended this, but mainly for people who don’t have much formal experience or education to get their first junior position. I think it’s a little crazy to require experienced professionals to also have open source side projects to be employable.

                                                          1. 2

                                                            I have side projects to learn and have fun, not to impress an interviewer. My side projects are for fun, exploration, experimenting, etc. They may not be finished or polished (or they may be!). The idea that I should give my leisure time outside of work to build stuff for the sake of finding better work is ridiculous to me. Granted, sometimes you can do both at the same time.

                                                            That’s exactly what I want to see in a candidate!

                                                            Not having side projects is far from a deal-breaker, but it is additional information useful in evaluating the candidate. The projects you describe are precisely what I want to see—not something that feels forced or is clearly put together to demonstrate certain concepts. Or coursework. Show me something derived from passion and/or playful exploration.

                                                          1. 1

                                                            I’d like to elaborate with my perspective:

                                                            I pair program with others at work. I’m the only one out of the team that lives on the command line, and have been using Vim for well over a decade (and now also use Emacs with Evil); the other programmers (sans one, who also uses Vim) use whatever editor the others seem to recommend. Most recently, that editor was PHPStorm.

                                                            I immediately reject PHPStorm because it is non-free/libre. But watching them use it is interesting. In particular, there is one programmer that really understands its features and refactoring tools—he doesn’t often use them, but when he does, I’m quite impressed. There are some features that I found would be convenient (and there are some that I did adopt in Vim/Emacs where packages were available).

                                                            When we were researching this programmer before his interview a couple years back, we say a post on one of his social media accounts that expressed very strong distaste for Vim and Emacs users, and said that he likes editors that can “write the code for him”. And there, I think, is where people miss the point.

                                                            Yes, these features are very convenient—when they can be used; they are rigid, and usually (as @steveshogren stated) cannot be part of a large composition. They also often require a clumsy GUI interface, which isn’t very (or at all) scriptable. So your editor might be able to write code for you—a small percentage of that time. When you get to use those features, it feels pretty good; but most of the time, you’re typing. Maybe using some auto-completion or auto-formatting.

                                                            From the reverse perspective, the others are impressed by the efficiency with which I edit any text—it might be code, it might not. It’s easy to write macros around Vim commands, and trivial to do so: I’ve taken over the keyboard a few times just to open the file in vim and largely automate a task. But perhaps one of the most notable things I’ve seen was that, when editing files that aren’t part of a project that’s registered with their IDE, or non-source files, they often use other programs. And even if they did use PHPStorm, it doesn’t recognize the file format, so many of their benefits disappear.

                                                            But Vim and Emacs aren’t the only useful tools—I also make aggressive use of standard GNU tools like grep, awk, sed, cut, sort, uniq, shell one-liners and scripts, etc; those are written to be components in a pipeline, and are fundamentally composable; they work on any file, source or not. This allows for far more than text edition: you can do data processing/analysis, reporting, scripting, etc. Between the command line and my editors, I don’t need any other programs to accomplish most sophisticated tasks that others would need wholly separate programs to do. And between editor macros/scripts, piping to external programs, and shell scripts / pipelines, I can reproduce the important part of those refactoring tools to the extend that I need.

                                                            tl;dr: This falls under the same philosophy as that of Unix: small programs (or Vim commands ;)) that do one thing and do it well, use the universal interface (text), and that work as part of a pipeline. Editors that try to think for you lose out when they haven’t thought of what it is you’re trying to do—and that’s constraining, and a hacker’s antithesis.

                                                            1. 3

                                                              I’m using something similar and for me it’s quite convinient; I’ve set up a container-based encryption on an OpenBSD virtual machine on a remote server (based on softraid0). The passwords are stored there in plain text files and I use a script to mount the container and unmount it.

                                                              When I need a password, I’m ssh'ing to the server (public key authentication, so I type the password only once for some time), I mount the container (so I type the password for the container here), and I grep for the proper file, copy/paste the password and unmount the crypto container, all by using simple bash 1-letter aliased commands.

                                                              I’ve also set up an automatic backup script working once a week that additionally encrypts the whole container file with a generated password based on current date (the algorithm is in the backup script and in my head) and I’ve set up multiple scripts on some of my computers (laptop, desktop) to pull those backups, and push them to some other remote servers like google drive, so I know I won’t lose any password even if this remote server from some reason will go down, or my Internet access will be limited.

                                                              1. 2

                                                                copy/paste the password and unmount the crypto container

                                                                There are other benefits to certain password managers, such as ones that fill in fields directly in your browser (e.g. the built-in FF password storage): it protects against clipboard / X selection monitoring and against certain side-channel attacks like Van Eck phreaking.

                                                                The latter is a problem because, in order for you to copy the password to your clipboard, it is displayed on your screen. Then, in copying it, you expose your password in plaintext to a system that doesn’t benefit from the same security considerations as the system storing your password. A less sophisticated form of screen capture is also possible: malicious software simply capturing an image of the passwords you have on your screen.

                                                                I store my passwords in one of two places (but not both): for general accounts, I store the password using FF’s (GNU IceCat, in my case) password manager with a strong master password. It uses 3DES for encryption (which is fine), but there’s reason for strong caution: FF is a large program with a huge attack surface; an encrypted file on disk using simple, standard, specialized tools is likely a better idea. The especially sensitive ones I store encrypted on disk. To mitigate the problems I mentioned, I copy the password to the clipboard by piping it to xclip as such:

                                                                $ your-pw-cmd | xclip -i -l 1 -selection clipboard -quiet
                                                                

                                                                (You’ll need to use X11 forwarding over SSH.)

                                                                -l 1 (“loop” 1) tells xclip to satisfy only one selection request before quitting, meaning that you can only paste the password once. So if an attacker queries the clipboard, xclip will exit, you won’t be able to paste your password, and you’ll know that your system was possibly compromised (at the very least, that you should change your password). -quiet causes xclip to run in the foreground so that you can see when (and that) it exits.

                                                                When generating a new password, I pipe it directly to the file or, if using FF’s password manager, to the clipboard:

                                                                # -l 2 so that I can paste it in the verification field as well
                                                                pwgen -sy 64 | xclip -i -l 2 -selection clipboard -quiet
                                                                

                                                                This way, you avoid both selection monitoring and displaying the password on the screen, thereby avoiding screen capture (Van Eck or otherwise).

                                                                If anyone has other suggestions for avoiding these attacks using standard tools, I’d love to hear your thoughts.