18 comments

[ 3.0 ms ] story [ 48.3 ms ] thread
Developers should be required to add flags to allow reading/writing to disk. i.e. choose —-insecure-disk—access or —-allow-read=/myapp

I hate the idea of making things a tiny bit more difficult for beginner developers, but what is the alternative?

Ok, then every developer picks --insecure-disk-access. Now what?
This is more on the user end, but there's ways for users to isolate programs in such a way that this malware wouldn't have access to e.g. browser files and cryptocurrency wallets, some more effective/practical than others. Virtual machines, containers, jails, chroots, etc.

I think one example of what you're talking about can be seen on Android. The developer has to explicitly declare permissions (like file access) in the manifiest, and the user has to explicitly approve it.

A reasonable alternative would be for the app to have no permissions and request permissions from the OS that would either deny access or prompt the user.

Most apps have no business outside their own data/cache folders.

I think the Apple implementation is a good start.

And yet, everyone hates snap
snap is being hated for different reasons. Namely a closed backend, a walled garden, and packages pushed down the throats of users for “creating a positive pressure on the Snap team to do a good job”.
> A reasonable alternative would be for the app to have no permissions and request permissions from the OS that would either deny access or prompt the user.

A reasonable alternative would be for the app to have no access to the internet and work freely with the available files, just like before. Why must every app be an RCE vector ?

I'm not quite sure what the RAT refers to in the article.
Remote Access Trojan
Remote access tool. There are plenty of legitimate uses of rats, and given that its no longer the 90s the rat and the trojan are separate programs in almost non-toy implementation
(comment deleted)
Even North Koreans hate Windows. Or are at least branching out to Mac and Linux. Lol
It's depressing that using Firefox is becoming security by obscurity.
Yeah I've got zero interest in running a web3-enabled browser. Until my landlord requires payment in crypto, I'll just keep to investing in traditional markets and spending fiat.
I wonder if I have to start working on take home problems inside a VM because it might potentially have malware in it.

Although, given the number of features being asked to implement, I'd probably have passed on this one.