Totally off topic, but I'm often tripped up by these multiple uses of quotes like this. Why do we use the same symbols out of a huge space for both quoting and sarcasm ?
There are separate symbols for sarcasm, but in "serious" writing emoji aren't considered appropriate. And sites/software likes to restrict them, like e.g. HN, which is why the sarcasm above is marked by quotes instead of the appropriate emoji. Some earlier internet cultures used :>
But I fear that is understood less widely nowadays.
But I have never seen anyone actually ever use it. In fact I only ever heard about it so rarely that I almost miswrote and was about to say that interrobang is sometimes used for indicating sarcasm. But when I looked it up I read that interrobang is for showing surprise of course!
As for your :> there was a guy that used to use it on an IRC channel that I was on. But I never understood quite what he meant by that kind of smiley. And later I looked it up and in his case I think the description I saw on Urban Dictionary fit pretty well, which said it was like a mischievous or devious smile. And I guess that also fits good for when you are sarcastic. Ever since I read that definition of :> it makes me think of this cartoon grinch smile https://meme.fandom.com/wiki/The_Grinch_Smile
Not a linguist or anything, but I'd say there's really just two categories: direct quotes (usually with a source), and then scare quotes which are used to communicate that you don't endorse the usage of the contained word(s).
BBC articles tend to use it a lot, it's probably part of their style guide. I snicker quietly at each title that "is worded" like "this", imagining a Dr. Evil air quoting each segment dutifully.
If a PC is infected I can (and should) reinstall everything from scratch. That should remove the malware, barring some super resistant malware that hides in the BIOS or something like that.
What do you do on an iOS device? Does a full device reset reinstall the OS, or does it simply remove all user settings?
I feel like the locked down nature of iOS makes it harder to attack, but if an attack goes thru it would also make it harder to clean up the attack?
If you're going against an adversary capable and willing to drop multiple zero days to breach you, let alone 11, I wouldn't wager much on a simple system wipe getting you back to a good state (iOS or not).
Given the price of iOS devices vs good security consultant hourlies, the easiest and most effective clean-up for a few devices is likely just starting over.
Reinstalling everything from scratch is a good start, but persistence of an exploit can easily be achieved through most data backups. Nobody wants to part with their important Word and Excel files, so those will get restored onto the fresh machine, carrying all the usual embedded macro nasties that an attacker planted there.
Of course you can try to be diligent and skip everything that is potentially a problem, but it is even harder than reinstalling and the data you are dropping is usually more valuable than the OS installation.
There is a bootrom exploit called checkm8 (and corresponding jailbreak called checkra1n) for some iOS devices, you could exploit that, which lets you run code before any possible malware, then use that code to wipe the device and reinstall iOS, although I expect it would be hard to obtain a pristine copy of all the firmware in all the parts of the SoC.
A full reinstall of iOS--done by putting the device into DRU mode and then entirely re-imaging it over USB with iTunes from a firmware image--really does reinstall everything on the system that can possibly be changed by anyone (like, excepting code that is so fixed it isn't upgradeable even by Apple)... if anything you sometimes get some settings left around in awkward places for some of the lower-level components (that maybe could be used to smuggle intent or even attacks across the reinstall). iOS is actually really really good about this in comparison to a lot of other devices.
It seems that a watering hole attack by definition targets users of a particular organization, but articles on this event make no mention of which organizations would that be, sounding like it affects general public. Wondering who should be worried.
Related: can community recommend some forums, periodic publications or other sources that aggregate information security news?
The scare quotes in the title read as sarcasm but they clearly didn’t intend them as such. An odd choice as I almost overlooked the article assuming it was a tale of some failed hackers.
The author uses quotes as actual quotes instead of as scare quotes. I'm not a fan of "scare" quotes so I'd be very pleased if other journalists did the same even if it takes some getting used to.
I would not understand that you were using that to indicate sarcasm—I would think you were emphasizing the fact that they're experts. I also don't think that usage is in any style guide, so you're not going to see journalists doing it.
On the other hand, using quotation marks to indicate sarcasm or irony is normal use and is in style guides.
You just have to rely on context to differentiate. The headline of the linked article is pretty ambiguous and like GP I read them as sarcasm. I think it was a poor choice to include them at all in this case—they don't add anything to the headline.
It's surrounded by quotation marks...because it's a quotation. Pretty standard. I'd estimate about half the headlines I see on the BBC News website these days have one of two words in quotes. It seems to allow them to create a clickbaity headline while not being inaccurate.
How long until we realize that JIT was a mistake and that we should offer orders of magnitude slower JS in browsers that is actually safe (or start building webpages without JS at all again, which will probably never happen) lest we give every website the ability to take over our device?
I'd pay real money for a browser with a slow, safe JS interpreter.
Actually with the font exploits an interpreter would be quite a bit safer. Many of the font exploit chains work by creating line vectors that result in an infinity or NaN throwing a floating point error (with the SeH handler already being overwritten). When running this by JIT... all of this is occurring on the physical CPU. If the floating point calculations were occurring inside an interpreter then the SEH chain can be protected by SEHOP/SAFESEH and the interpreter could implement bounds checks and while retaining the NX bit on everything executing.
a. closing one attack vector does not justify slowing down the entire world.
b. you can have the jit compile with any bound checks as you suggested, so still not justifying an interpreter. the only reason for an interpreter is simplicity, once you have a jit there's no logical reason to go back.
also when you say NX bit, you do know the interpreter is running code still. it's just doesn't have to be RW (actually jit don't either) which still allows for ROP. there has to be some very specific exploit for these things to have a dramatic effect (ie. can be vs. cannot be exploited) many times there will be several methods to exploit a vuln.
Well, I feel like you are arguing for JIT just for the sake of arguing. The topic we are discussing in this thread is "Interpreted is safer than JIT" which is absolutely true.
Yeah, there are newer ROP mitigations coming down the pipeline, I agree verifiable execution flow remains a major problem.
I saw; such a security-focused browser would naturally use only local, trusted fonts and strongly sandbox media playback/decode of any kind, probably in a different process.
We need slow and safe before we can have fast and safe. Either is better than the fast and unsafe we have now.
We should probably unfuck the dangerous morass that is turing-complete font file formats at some point, too.
The direction of webdev is webasm delivering full almost-desktop level apps and SPAs vs the documents with some minor scripting of the past.
Slow & safe javascript will simply not be adopted by the market because there is zero incentive to do so. Change the incentives and you will get the change you want.
>The importance of keeping apps and OSes up to date and avoiding suspicious websites still stands. Unfortunately, neither of those things would have helped the victims hacked by this unknown group.
Disabling Javascript would have helped. You can even use tools like uMatrix to set exceptions per site so you're not exposing yourself to every single site on the internet by default. Though you won't see online news sites suggest this since their revenue is so tied to Javascript being enabled.
The reason why general computing sites don't recommend it is because users won't be happy when they can't sign into their bank or use other websites they wish to use.
The average user doesn't know anything about how sites are constructed. Telling them to use uMatrix is non sensical.
Though that's not to say there's good advice on these kinds of sites.
I've seen a "Windows 10 tips" list from a very popular site telling users that "they don't like being patronised about their own computer" and recommends turning off UAC (Essentially running their account as root)
Or even saying that updating your OS is frustrating so here's how to disable it.
Absolutely dangerous advice but that's the level of general computer sites.
I don't want forced updates when I am working. And many time I have encountered issues like computer not booting. After updates they prompts "Please install our cool new software called edge".
I want security update not the marketing update. So I make a compromise and disable update all together. Why not give linux style update where I can review each and every package.
The reason is that the product is Windows 10 as a whole.
Linux Distros are just bundles of software that make up the operating system.
So if your compromise is that you don't want new Windows 10 updates because they also bundle in new features rather than using an OS like linux, then it'd be your fault if you get hacked via an exploit that was patched in an update.
Then the obvious solution is to make them care. We penalise corporations for financial negligence and failing to take proper precautions and report correctly. We increasingly penalise them for violations of privacy and data protection rules, where similarly they are expected and required to provide adequate infrastructure to comply with the regulatory obligations. If failing to implement reasonable security practices and provide appropriate security updates to users with no strings attached started costing the hardware manufacturers and software developers and resellers the same kinds of penalty per violation as some of the financial or privacy regulations, we'd soon see those security updates universally available without forcing all the unwanted user-hostile changes at the same time.
There isn't law that mandates they split security updates from feature updates.
I'm suggesting that perhaps there should be.
In what other area of consumer protection law does a manufacturer or reseller get to provide a seriously defective product and then refuse to deal with the problem unless the buyer also accepts other changes that might make the product significantly different and possibly in their view significantly worse than the one they chose to buy?
The principle is important here. Your example about Paint 3D is cute, but in reality, there are plenty of other examples where user-hostile software changes have been pushed out after purchase, including those that disabled previously available functionality, reduced privacy, introduced advertising, or dramatically changed the look and feel of the product. People shouldn't be forced to accept these kinds of unwanted retrospective changes to the product they originally chose to buy just to maintain an adequate level of security.
Not in any real way for most people. It's only available to enterprise accounts, and from what I saw when I worked in IT, Microsoft strongly discourages it's use for normal user desktops.
The unpleasant answer is that if you give people linux style updates, every Windows 10 install becomes part of a botnet like the bad old days. No operating system I know of other than Linux actually gives you the option to do updates piecemeal and security is one of the main reasons why.
For the record I hate this, but history has shown that if you don't try your absolute hardest to get security updates installed onto users' machines, they're going to constantly get owned by malicious third parties. Chrome and Firefox aggressively auto-update for the same reason (if you try to manually install old Chrome for testing it'll obliterate itself on next launch!) The vast majority of users simply do not pay attention to security and will not make the right decisions if you offer them choices about updates and security, because they don't have enough knowledge or context to make the right choices.
Thank you for saying that. I'm one of first in 2005/2006 advocating JS rendering in the browser. JS in the browser has really gotten out of hand. I no longer advocate to do everything on the client/browser side. A web site should just work without JS.
Normal websites should absolutely, but actual webapps don't necessarily need to. Modern JS allows for very capable audio, video and 3d web applications inside the browser. The alternative if it wasn't for JS would be to build desktop apps, which would introduce a completely new set of problems and potential security risks.
For sure, audio, video do not need JS to function.
Yes you need JS for 3d webGL, but it also opened another can of worm that allows company to fingerprint GPU pretty much anyone who is not using Safari regardless if you are in incognito mode.
What most web developer don't realize browser was build to be a sandbox to protect you from the world wide web. Seems like the current trend is tear down that sandbox for usability and functions. Which is fine, then advertise that browser with JS enabled pretty much open you all that risk. It should be in the educational to the public as well as the first page of any browser that doesn't sandbox GPU finger printing.
This is true, and web browsers will need better user configuration to control such things, including fine controls to control what exactly a script does. The web developer console is a good start, but it doesn't even start to go far enough at all.
Most should work without JS (and also without CSS too, usually), yes.
Even in the few cases where it is needed, it should be designed to work OK without. I did see once where if JavaScript was disabled, it displayed a link to documentation instead; that is a good idea. (Unfortunately, the documentation didn't work without JavaScript enabled; they should fix that.) If it is accessing data, you can link to the documentation and/or to the data directly, in order to deal with it by yourself, with your own software, if the user wishes to do so. Sometimes the script is used to perform calculations, or automatically convert or render something; you can still add a <noscript> block to just mention what it is, links to source codes, or in some cases (e.g. automatic time zone conversion) just omit that part entirely will do. Simply writing "This page requires JavaScript enabled to work" is worthless; don't do that.
I use F-Droid's Fennec, which has addon-collections re-enabled. Bit of a hassle if you want something that's not yet included in an existing collection, but possible:
Been playing with tools like angr lately and learning more about binary analysis.
It seems to me that "automatic exploit generation" is improving quite a bit where the infrastructure for analysis is a little tricky to set up, but then you can direct that infrastructure to analyze the code for you. The bad guys and good guys are in a race to find new exploits faster (they always have been) but I've been pretty amazed by the direction I see things going with automation.
I might just go back to pen and paper at this point.
>I might just go back to pen and paper at this point.
Maybe you kid, but... I've been using a physical calendar on the wall this year. I also replaced my Apple Watch with a Casio F-91W some time ago.
You know what's really great? My calendar or watch never gets hacked and it's never unavailable because some overnight software update broke it! Sure, the F-91W technically runs software, but it has no connectivity. That's the important part.
Now if I could just figure out what to do with my phone... I don't think dumb phones are particularly secure, so maybe it makes sense to keep using Android? Or eventually switch to Linux on my phone?
I suppose this year is different but what about when you're outside and you want to check your calendar? Do you copy everything to a pocket calendar and risk them going out of sync?
So far that hasn't really come up. How often do you need to check your calendar outside? Maybe I don't need to very much because I work from home.
Here's some possible scenarios though:
* If I need to remember when something is going to happen, such as "I'm leaving my house to meet a friend at 4 PM", I can just commit to memory what time it was suppose to be.
* If there's a lot of stuff happening, then I'd make a note on my phone. If the times of events change while I'm out, it doesn't really matter if my calendar at home is out of sync. I'm just going to cross the day off when I get back.
* If I find out a later date will change ("the user group has been moved to Thursdays"), then I'll leave myself a reminder on my phone. Most of the things on my calendar are actually little post-it notes, so I can move things around. I only write things in ink when they will never change, like national holidays that are already scheduled/set in stone.
So far, I haven't really run into any pain points. The drawbacks of paper calendars just aren't enough to overcome the drawbacks of electronic calendars.
I have a $12 flip phone, pay as you go, not in my name. It can't browse the web and if someone sends me binary data in a text message its shows up the same as if I read binary data in my terminal. The phone has no idea what to do with it. Battery life would be great if the did not remove the cell sites near me. I think this model was replaced by one that is $29 but its basically the same thing. Check Walmart or an equivalent store.
b) Google Maps could advice direction to some smaller not so well maintained roads, that could increase travel time a lot, or lead to some road where it's hard to turn back. So maybe planning ahead and writing driving instructions at home before driving would be better. Or just trying to follow main street signs for major roads.
angr is cool and all (disclaimer: I know many of the people who work on it) but we’re not really at a point where you can just point automated tooling at software and get results. That isn’t to say that code analysis tools are not heavily used by people finding exploits, but their effectiveness is limited by the difficulties of analyzing code and the fact that the “good guys” have access to pretty much the same tooling. (In fact, their tooling is better in a sense because it often runs in better conditions like with full source code and lack of a need to find a full exploit for every bug.)
Probably a stupid question to ask, and I realise the bigger picture here is that there are sophisticated groups searching for complicated exploits all the time, but are these specific exploits addressed already in the latest software updates for the affected platforms?
Wasn’t clear to me from the article, although I may just have missed it being the idiot that I am.
Usually, security researchers communicate exploits to the companies that build platforms before publishing so they get a chance to plug the holes. Of course it happens that those companies just don't react but with such a high-profile zoo of exploits, their security guys would be scrambling.
I said this once and I'll say it again: To counter such threats we need a healthy heterogeneous ecosystem. According to the article, the attack would have been prevented by using Firefox, (because it relied on a Chrome CVE). It also did not work on Linux and presumably not on Apple's ARM CPUs.
But unfortunately we don't get exponential security. Normally, one would expect that n variables (Browser, OS, CPU architecture) with three choices each should give you 3^n required exploits to cover all combinations.
But unfortunately, n is rather small nowadays, the number of choices shrinks every year, and -even more worrying- the attack vectors compose extremely well so you actually just need 3n exploits.
So I am a little bit at a loss here how we can make such attacks non-economical again.
But this is reversed for a watering hole bug against an organization. They only needed to get into one stack one member of the org uses and stay. Their reason for releasing multiple chains of attack at once instead of whenever their current attack is patched is unclear unless they want to get into multiple organizations where some avoid a diversity of exploitable software.
But these are attacks that worked across multiple systems. Heterogeneity is going to lead to more systems with less overall security work being done per system. Sure, using Firefox would have prevented the attacks we know about, but who's to say Google found all of the attacks. They exploit Chrome, Samsung browser, Windows, Android, iOS, and Safari. It seems silly to say "if we had one more, it would have stopped them."
> They exploit Chrome, Samsung browser, Windows, Android, iOS, and Safari. It seems silly to say "if we had one more, it would have stopped them."
Samsung's browser and Chrome share 100% of attack surface; Safari and Chrome share likely near 70%. Windows and Android have Chrome built-in at the OS layer, iOS has Safari built in at the OS layer.
In this case, something like Firefox which shares much less attack surface would in fact solve the problem, because the problem is that other things have Chrome at the OS-level.
Edge is now Chromium based and soon Edge-Chromium webviews will ship with the OS. The old IE/Edge webviews will remain for legacy but they'll eventually get stripped.
This is wrong. I'd say it's more like 5%. Blink forked from WebKit 7 years ago and development has been very active on both sides since then. And probably the majority of the attack surface is outside Blink/WebKit proper to start with (e.g. JS engine, font libraries, media decoding, networking, etc).
I don't know about JSC, but V8 is very much a standalone project. I guess you could define it as just part of Blink but I don't think that's a very useful definition.
Diversity is a sign of health in an ecosystem. But, increasing diversity directly isn't really viable. Question is, why is diversity low?
In my opinion, Web, OSes and CPUs suffer from being overly complicated, closed-source ridden, non-modular systems-within-systems. Basicly, the opposite of what the Unix philosophy advocates.
If a Web browser were easier to implement, we would have more than ~3 well maintained engines. In other words, why should Web require massive amounts of capital?
>To counter such threats we need a healthy heterogeneous ecosystem.
And how do you get that?
>But unfortunately, n is rather small nowadays, the number of choices shrinks every year, and -even more worrying- the attack vectors compose extremely well so you actually just need 3n exploits.
Let me tell you about early-to-mid 2000s. Now that was a time of very low 'n'. Compared to then, we live in a heterogenous nirvana.
> It also did not work on Linux and presumably not on Apple's ARM CPUs.
Hmm, anyone else find this interesting? I haven't looked into the actual exploit itself yet, but having it work on Android, which has SELinux and/or other protections by default, but not on (presumably) a generic Linux distro, is weird.
I would have assumed it exploited something present only on mobile builds of Chrome, but it affects Windows as well. Odd.
It did not rely on a Chrome CVE, it just included a Chrome exploit.
What they found was a server that served up the correct exploit for the platform making the request, and were able to coax a bunch of iOS and Chrome exploits out of it. This doesn't mean that the attackers didn't have other browser exploits or that Firefox exploits couldn't have been dropped into the same framework.
In fact, if you start trolling around in Tor, you're likely to find a ton of Firefox exploits because Tor Browser is obviously based on Firefox.
I really don't understand why people decide to work in computer security, today it's really an arms race. I see how it's like games of lockpicking, but honestly I don't understand the value of it.
It's like being in the arms trade: what matters is who you decide to trade with.
Honestly, I'd rather see myself as anti-cyber-war at this point, like anti-war protests, meaning telling people to use computers for less critical tasks, and disengaging from certain areas.
It's more interesting to understand the motives of attacks. Often, attacks have a geopolitical or political motive.
So the whole point of security, digital or physical, is power.
For now, I really don't see the point of working in security for a single reason: there is NO REGULATION on measures of security when writing software. You can find millions of regulations for making physical products, but very few for software when it comes to security.
Of course, governments have higher standards, but law should mandate that insurance companies be able to evaluate cyber risks, so there should be regulations regarding computer security.
Unlike lockpicking or actual arms races, it is possible to write software such that the only weak point is the people using it. Ideally all software would be formally verified, but that's a bit too cost/time expensive to be practical for everything, so instead computer security focuses a lot on minimizing attack surface and getting as close as possible to that "humans are the weak point" goal. Even if a 0day exists for particular software, if there's no way to reach it, then it's as good as being nonexistent.
> telling people to use computers for less critical tasks, and disengaging from certain areas.
I think I a bit can understand how you think. Looking at some health care related apps, I was surprised to see how buggy they were (the user interface) and silly built, wrt security.
On the other hand, without computers, the alternative seems to be that the health care staff picks up the phone and just assumes you are the one you say you are
Which ones may I ask? I’ve been shocked to learn how many online EHR/EMRs work... it’s a bit frightening to think it would be trivial to find large densities of ailments / preconditions to exploit at a state level.
The actual exploited bugs were mostly found in the OS but this is really about browsers. A contemporary browser pretty much exposes your entire OS to remote attacks. You want to exploit font interpretation? No problem, the browser will happily download your malicious font.
There has to be a better way. This isn't working...
I guess in an ideal world, the default might be something simple enough (akin to Gemini), and using a more flexible and complex technology that comes with all the security and privacy implications would be distinguishable from the simpler sites and using them would require and allow user discretion. That might place web apps somewhere between plain websites and applications installed on the computer (or phone or whatever).
If implementing your site as an app rather than using something like Gemini came at the price of making people think twice, in theory there might be an incentive to only do web apps when it's actually needed.
But of course not that many people would use that kind of discretion, not to mention "ooh, shiny!"
And it's hard to put the genie back in the bottle anyway.
I agree, and on my computer I disable custom fonts in the web browser anyways.
A better web browser is really needed; one of things it can have is support for the Gemini protocol and file format. (It can also omit many things, as well as adding things.)
Could I make a suggestion? It'd be great if it were possible to white-blacklist all web features? We can do this for some features like location, but I can't selectively turn off images, JavaScript, or web fonts (only globally).
It might be nice to have a prompt like "This page wants to use a web font" like how you get for location. I realize that may be a lot of work to add in though.
Really, I'd just like to re-enable webfonts on Netflix so the subtitles don't look like garbage, but keep the fonts off on almost all websites. If anyone at Netflix is reading this, please fallback to something like sans-serif and not serif.
You may want to set up arbitrary criteria. For example, something I would like to do is enable web fonts for SVG, but not for HTML.
Prompts do help, but the prompt should allow the user to allow or block once or always, and to override settings too (e.g. for location, the user can optionally specify a location to use, or specify a command-line of a program that provides the location; for camera, the user can specify the path to the device or to a picture or video file, or a command-line of a program that will produce the picture). The user can then specify whether or not to always make this selection in the future, and in what scope. If the site uses TLS, or is a local file which has been digitally signed, then the user can optionally specify certificate pinning too, in which case the automatic selection will be ignored if the certificate does not match.
I also have other ideas, about meta-CSS, presentation mode, table of contents window, animation skipping, capability of loading animated GIF and PNG files as videos (so that you can rewind and pause it), better keyboard controls, save form data to local files, regular expression search, full cookie editor, SQL access to HTML tables, Xaw-style scrollbars, relative location bar, ARIA view, etc. Most of this is configured and/or activated only by the end user, not by the document. Although, some are capable in the document too, such as, a HTML document with a <video> referencing a GIF or PNG will work; such a file can be loaded with <img> or <video> and either way would work.
No "do not track" setting is needed. My idea is the user could set up request headers arbitrarily, as well as overriding response headers (including some "protected" ones, which are stripped if received from a remote site, so are only effective if set up by the user). For example, to enable "do not track", you can add the rule which adds the request header "DNT:1" with the criteria specified as "always".
I would also ensure that all timing APIs can be spoofed (including the JavaScript core Date object; in my opinion this is an I/O function so it shouldn't belong in the core). This is probably useful for testing, as well as for the end user to get rid of annoyances too.
Rip out the clipboard API along with all the other functions that allow sites to manipulate text selection semantics, sticky overlays, and all of the other UX garbage that has accumulated over the years.
Agreed. In addition to clipboard API and Pocket, I had other ideas to remove, including <marquee> (although the user can add it back using their own CSS and/or meta-CSS if wanted), several APIs, some events, scrolling by script, testing visibility of anything by script, window ops by document scripts, etc.
In normal view and ARIA view, the viewport height would always be reported as Infinity. In print preview and in presentation view (which is a paged/screen media type), the viewport height is reported correctly.
The better way is to use Qubes OS for security through isolation. You then use hardware virtualization to isolate untrusted application (including browsers) from the rest of system. Doesn't work on mobile though.
Processes were a form of robust virtualisation once. It’s just pushing the problem down another layer. There are vulnerabilities in virtualisation layers too.
> There are vulnerabilities in virtualisation layers too.
Qubes OS v4+ does not use typical software virtualization methods. VT-d hardware virtualization it uses was broken only once, and it was done by the Qubes founder: https://en.wikipedia.org/wiki/Blue_Pill_(software)
Curious why there isn't more specificity in the article? Is it to protect the sites and allow them time to fix? I'm not asking in a derogatory fashion, more trying to figure out the level of potential exposure I have myself. Tough to determine from the article.
Hackers ARE using zerodays to infect EVERYTHING. I really can't understand why people continue to just assume that their endpoints and networks are clean. Worse, they then use the lack of security events to justify not buying the tools and expertise that are necessary to identify compromises.
EDIT: not just zerodays. Many organizations have patch schedules that are too slow.
155 comments
[ 2.9 ms ] story [ 162 ms ] threadAnd then there is also the irony punctuation which looks like this: ⸮
https://en.wikipedia.org/wiki/Irony_punctuation
But I have never seen anyone actually ever use it. In fact I only ever heard about it so rarely that I almost miswrote and was about to say that interrobang is sometimes used for indicating sarcasm. But when I looked it up I read that interrobang is for showing surprise of course!
As for your :> there was a guy that used to use it on an IRC channel that I was on. But I never understood quite what he meant by that kind of smiley. And later I looked it up and in his case I think the description I saw on Urban Dictionary fit pretty well, which said it was like a mischievous or devious smile. And I guess that also fits good for when you are sarcastic. Ever since I read that definition of :> it makes me think of this cartoon grinch smile https://meme.fandom.com/wiki/The_Grinch_Smile
I'd call whoever is responsible for such a valuable amount of 0days expert/nation state level for sure.
What do you do on an iOS device? Does a full device reset reinstall the OS, or does it simply remove all user settings?
I feel like the locked down nature of iOS makes it harder to attack, but if an attack goes thru it would also make it harder to clean up the attack?
Given the price of iOS devices vs good security consultant hourlies, the easiest and most effective clean-up for a few devices is likely just starting over.
Of course you can try to be diligent and skip everything that is potentially a problem, but it is even harder than reinstalling and the data you are dropping is usually more valuable than the OS installation.
Not on iOS.
https://checkra.in/
Related: can community recommend some forums, periodic publications or other sources that aggregate information security news?
Keep an eye on r/sysadmin in Reddit.
r/netsec
> Expert (!) hackers used...
I hope then it's clear they are not experts really and when I say "experts" it's clear that I'm just quoting.
On the other hand, using quotation marks to indicate sarcasm or irony is normal use and is in style guides.
You just have to rely on context to differentiate. The headline of the linked article is pretty ambiguous and like GP I read them as sarcasm. I think it was a poor choice to include them at all in this case—they don't add anything to the headline.
I don't know why started using it but it's in wiktionary so "everyone should" understand it: https://en.wiktionary.org/wiki/(!)
I guess, as you also mentioned, without enough context around it, both are hard to understand.
X is dangerous VS X is "dangerous"
The implication is true vs not true.
I'd pay real money for a browser with a slow, safe JS interpreter.
https://en.wikipedia.org/wiki/W%5EX
Yeah, there are newer ROP mitigations coming down the pipeline, I agree verifiable execution flow remains a major problem.
We need slow and safe before we can have fast and safe. Either is better than the fast and unsafe we have now.
We should probably unfuck the dangerous morass that is turing-complete font file formats at some point, too.
https://hacks.mozilla.org/2020/02/securing-firefox-with-weba...
Same with Ogg container parsing.
Slow & safe javascript will simply not be adopted by the market because there is zero incentive to do so. Change the incentives and you will get the change you want.
https://v8.dev/blog/jitless
Disabling Javascript would have helped. You can even use tools like uMatrix to set exceptions per site so you're not exposing yourself to every single site on the internet by default. Though you won't see online news sites suggest this since their revenue is so tied to Javascript being enabled.
The average user doesn't know anything about how sites are constructed. Telling them to use uMatrix is non sensical.
Though that's not to say there's good advice on these kinds of sites.
I've seen a "Windows 10 tips" list from a very popular site telling users that "they don't like being patronised about their own computer" and recommends turning off UAC (Essentially running their account as root)
Or even saying that updating your OS is frustrating so here's how to disable it.
Absolutely dangerous advice but that's the level of general computer sites.
Regarding Update/UAC Please blame microsoft.
I don't want forced updates when I am working. And many time I have encountered issues like computer not booting. After updates they prompts "Please install our cool new software called edge".
I want security update not the marketing update. So I make a compromise and disable update all together. Why not give linux style update where I can review each and every package.
W10 education and enterprise licenses allows you to manage the updates yourself.
Linux Distros are just bundles of software that make up the operating system.
So if your compromise is that you don't want new Windows 10 updates because they also bundle in new features rather than using an OS like linux, then it'd be your fault if you get hacked via an exploit that was patched in an update.
Microsoft aren't going to care.
Then the obvious solution is to make them care. We penalise corporations for financial negligence and failing to take proper precautions and report correctly. We increasingly penalise them for violations of privacy and data protection rules, where similarly they are expected and required to provide adequate infrastructure to comply with the regulatory obligations. If failing to implement reasonable security practices and provide appropriate security updates to users with no strings attached started costing the hardware manufacturers and software developers and resellers the same kinds of penalty per violation as some of the financial or privacy regulations, we'd soon see those security updates universally available without forcing all the unwanted user-hostile changes at the same time.
What if they rewrote a component to have new features and it also fixed a security issue?
What's the difference between a security patch and a bug fix?
At the end of the day if someone gets so angry that Microsoft added Paint 3D in an update that they disabled updates.
What's the obligation here? They chose not to update their computer.
I'm suggesting that perhaps there should be.
In what other area of consumer protection law does a manufacturer or reseller get to provide a seriously defective product and then refuse to deal with the problem unless the buyer also accepts other changes that might make the product significantly different and possibly in their view significantly worse than the one they chose to buy?
The principle is important here. Your example about Paint 3D is cute, but in reality, there are plenty of other examples where user-hostile software changes have been pushed out after purchase, including those that disabled previously available functionality, reduced privacy, introduced advertising, or dramatically changed the look and feel of the product. People shouldn't be forced to accept these kinds of unwanted retrospective changes to the product they originally chose to buy just to maintain an adequate level of security.
For the record I hate this, but history has shown that if you don't try your absolute hardest to get security updates installed onto users' machines, they're going to constantly get owned by malicious third parties. Chrome and Firefox aggressively auto-update for the same reason (if you try to manually install old Chrome for testing it'll obliterate itself on next launch!) The vast majority of users simply do not pay attention to security and will not make the right decisions if you offer them choices about updates and security, because they don't have enough knowledge or context to make the right choices.
Thank you for saying that. I'm one of first in 2005/2006 advocating JS rendering in the browser. JS in the browser has really gotten out of hand. I no longer advocate to do everything on the client/browser side. A web site should just work without JS.
For sure, audio, video do not need JS to function.
Yes you need JS for 3d webGL, but it also opened another can of worm that allows company to fingerprint GPU pretty much anyone who is not using Safari regardless if you are in incognito mode.
What most web developer don't realize browser was build to be a sandbox to protect you from the world wide web. Seems like the current trend is tear down that sandbox for usability and functions. Which is fine, then advertise that browser with JS enabled pretty much open you all that risk. It should be in the educational to the public as well as the first page of any browser that doesn't sandbox GPU finger printing.
Even in the few cases where it is needed, it should be designed to work OK without. I did see once where if JavaScript was disabled, it displayed a link to documentation instead; that is a good idea. (Unfortunately, the documentation didn't work without JavaScript enabled; they should fix that.) If it is accessing data, you can link to the documentation and/or to the data directly, in order to deal with it by yourself, with your own software, if the user wishes to do so. Sometimes the script is used to perform calculations, or automatically convert or render something; you can still add a <noscript> block to just mention what it is, links to source codes, or in some cases (e.g. automatic time zone conversion) just omit that part entirely will do. Simply writing "This page requires JavaScript enabled to work" is worthless; don't do that.
android and ios are indeed a wasteland in terms of browser security.
https://f-droid.org/de/packages/org.mozilla.fennec_fdroid/
https://news.ycombinator.com/item?id=24532973 https://github.com/gorhill/uMatrix
I'm not sure what is supposed to replace it though.
https://github.com/gorhill/uBlock/wiki/Blocking-mode:-medium...
It seems to me that "automatic exploit generation" is improving quite a bit where the infrastructure for analysis is a little tricky to set up, but then you can direct that infrastructure to analyze the code for you. The bad guys and good guys are in a race to find new exploits faster (they always have been) but I've been pretty amazed by the direction I see things going with automation.
I might just go back to pen and paper at this point.
Maybe you kid, but... I've been using a physical calendar on the wall this year. I also replaced my Apple Watch with a Casio F-91W some time ago.
You know what's really great? My calendar or watch never gets hacked and it's never unavailable because some overnight software update broke it! Sure, the F-91W technically runs software, but it has no connectivity. That's the important part.
Now if I could just figure out what to do with my phone... I don't think dumb phones are particularly secure, so maybe it makes sense to keep using Android? Or eventually switch to Linux on my phone?
Here's some possible scenarios though:
* If I need to remember when something is going to happen, such as "I'm leaving my house to meet a friend at 4 PM", I can just commit to memory what time it was suppose to be.
* If there's a lot of stuff happening, then I'd make a note on my phone. If the times of events change while I'm out, it doesn't really matter if my calendar at home is out of sync. I'm just going to cross the day off when I get back.
* If I find out a later date will change ("the user group has been moved to Thursdays"), then I'll leave myself a reminder on my phone. Most of the things on my calendar are actually little post-it notes, so I can move things around. I only write things in ink when they will never change, like national holidays that are already scheduled/set in stone.
So far, I haven't really run into any pain points. The drawbacks of paper calendars just aren't enough to overcome the drawbacks of electronic calendars.
b) Google Maps could advice direction to some smaller not so well maintained roads, that could increase travel time a lot, or lead to some road where it's hard to turn back. So maybe planning ahead and writing driving instructions at home before driving would be better. Or just trying to follow main street signs for major roads.
c) There are some DIY projects like Raspberry Pi navigator: https://www.raspberrypi.org/forums/viewtopic.php?t=70517
The raspberry pi project looks interesting, though.
I hear you, but I see where they're going with it and what is possible with automation will improve each year. It's certainly not a dead end.
Wasn’t clear to me from the article, although I may just have missed it being the idiot that I am.
But unfortunately we don't get exponential security. Normally, one would expect that n variables (Browser, OS, CPU architecture) with three choices each should give you 3^n required exploits to cover all combinations.
But unfortunately, n is rather small nowadays, the number of choices shrinks every year, and -even more worrying- the attack vectors compose extremely well so you actually just need 3n exploits.
So I am a little bit at a loss here how we can make such attacks non-economical again.
Samsung's browser and Chrome share 100% of attack surface; Safari and Chrome share likely near 70%. Windows and Android have Chrome built-in at the OS layer, iOS has Safari built in at the OS layer.
In this case, something like Firefox which shares much less attack surface would in fact solve the problem, because the problem is that other things have Chrome at the OS-level.
How is Chrome built into Windows at the OS layer? Wouldn't that be IE or Edge?
I think that's OP's point. Edge uses chromium.
This is wrong. I'd say it's more like 5%. Blink forked from WebKit 7 years ago and development has been very active on both sides since then. And probably the majority of the attack surface is outside Blink/WebKit proper to start with (e.g. JS engine, font libraries, media decoding, networking, etc).
In my opinion, Web, OSes and CPUs suffer from being overly complicated, closed-source ridden, non-modular systems-within-systems. Basicly, the opposite of what the Unix philosophy advocates.
Protocols and instruction sets etc will need to be not too complicated, in addition to being open source and fully documented.
How does that balance against the thread of each platform/ecosystem having its own variants of security issues?
And how do you get that?
>But unfortunately, n is rather small nowadays, the number of choices shrinks every year, and -even more worrying- the attack vectors compose extremely well so you actually just need 3n exploits.
Let me tell you about early-to-mid 2000s. Now that was a time of very low 'n'. Compared to then, we live in a heterogenous nirvana.
Hmm, anyone else find this interesting? I haven't looked into the actual exploit itself yet, but having it work on Android, which has SELinux and/or other protections by default, but not on (presumably) a generic Linux distro, is weird.
I would have assumed it exploited something present only on mobile builds of Chrome, but it affects Windows as well. Odd.
The Android vs Linux part still stands though.
What they found was a server that served up the correct exploit for the platform making the request, and were able to coax a bunch of iOS and Chrome exploits out of it. This doesn't mean that the attackers didn't have other browser exploits or that Firefox exploits couldn't have been dropped into the same framework.
In fact, if you start trolling around in Tor, you're likely to find a ton of Firefox exploits because Tor Browser is obviously based on Firefox.
It's like being in the arms trade: what matters is who you decide to trade with.
Honestly, I'd rather see myself as anti-cyber-war at this point, like anti-war protests, meaning telling people to use computers for less critical tasks, and disengaging from certain areas.
The best way to stop future attacks is to make current attacks unsuccessful.
So the whole point of security, digital or physical, is power.
For now, I really don't see the point of working in security for a single reason: there is NO REGULATION on measures of security when writing software. You can find millions of regulations for making physical products, but very few for software when it comes to security.
Of course, governments have higher standards, but law should mandate that insurance companies be able to evaluate cyber risks, so there should be regulations regarding computer security.
I think I a bit can understand how you think. Looking at some health care related apps, I was surprised to see how buggy they were (the user interface) and silly built, wrt security.
On the other hand, without computers, the alternative seems to be that the health care staff picks up the phone and just assumes you are the one you say you are
(I guess you're in the US?)
There has to be a better way. This isn't working...
If Firefox & Chrome had support for something lightweight like Gemini (https://gemini.circumlunar.space/) then most sites could just use that.
With that sort of setup, restrictions on the web like uMatrix would be a lot less painful because most sites wouldn't ever need to be whitelisted.
But they wouldn't, because they couldn't track people.
They wouldn't use it (or the VAST majority wouldn't) because it means losing tracking.
If implementing your site as an app rather than using something like Gemini came at the price of making people think twice, in theory there might be an incentive to only do web apps when it's actually needed.
But of course not that many people would use that kind of discretion, not to mention "ooh, shiny!"
And it's hard to put the genie back in the bottle anyway.
A better web browser is really needed; one of things it can have is support for the Gemini protocol and file format. (It can also omit many things, as well as adding things.)
It might be nice to have a prompt like "This page wants to use a web font" like how you get for location. I realize that may be a lot of work to add in though.
Really, I'd just like to re-enable webfonts on Netflix so the subtitles don't look like garbage, but keep the fonts off on almost all websites. If anyone at Netflix is reading this, please fallback to something like sans-serif and not serif.
I wish servo was in a better place to fork
Prompts do help, but the prompt should allow the user to allow or block once or always, and to override settings too (e.g. for location, the user can optionally specify a location to use, or specify a command-line of a program that provides the location; for camera, the user can specify the path to the device or to a picture or video file, or a command-line of a program that will produce the picture). The user can then specify whether or not to always make this selection in the future, and in what scope. If the site uses TLS, or is a local file which has been digitally signed, then the user can optionally specify certificate pinning too, in which case the automatic selection will be ignored if the certificate does not match.
I also have other ideas, about meta-CSS, presentation mode, table of contents window, animation skipping, capability of loading animated GIF and PNG files as videos (so that you can rewind and pause it), better keyboard controls, save form data to local files, regular expression search, full cookie editor, SQL access to HTML tables, Xaw-style scrollbars, relative location bar, ARIA view, etc. Most of this is configured and/or activated only by the end user, not by the document. Although, some are capable in the document too, such as, a HTML document with a <video> referencing a GIF or PNG will work; such a file can be loaded with <img> or <video> and either way would work.
No "do not track" setting is needed. My idea is the user could set up request headers arbitrarily, as well as overriding response headers (including some "protected" ones, which are stripped if received from a remote site, so are only effective if set up by the user). For example, to enable "do not track", you can add the rule which adds the request header "DNT:1" with the criteria specified as "always".
I would also ensure that all timing APIs can be spoofed (including the JavaScript core Date object; in my opinion this is an I/O function so it shouldn't belong in the core). This is probably useful for testing, as well as for the end user to get rid of annoyances too.
In normal view and ARIA view, the viewport height would always be reported as Infinity. In print preview and in presentation view (which is a paged/screen media type), the viewport height is reported correctly.
Was it ever robust? Or just that there weren't yet so many exploits?
Qubes OS v4+ does not use typical software virtualization methods. VT-d hardware virtualization it uses was broken only once, and it was done by the Qubes founder: https://en.wikipedia.org/wiki/Blue_Pill_(software)
EDIT: not just zerodays. Many organizations have patch schedules that are too slow.
If they did, there would be more effort and knowledge about the subject
The Volexity blog covers some of the earlier watering hole attacks in more detail.