Installed programs are the weakest link in the security of an OS like windows - should users not use programs? Users are just as likely to download a sketchy program as a sketchy extension, is that not even more severe of a risk?
User education and better marketplace policing are the solution, not silly blanket statements like that.
Running untrusted code is the weakest link. In an ideal world users would be writing the code themselves or running a verified, trusted, signed and hashed reproduceable build binary.
I agree with this however that would limit just about all software unless it has been properly and deeply inspected by people paid to do just this. If I go through the project pages of all the software that comes with Linux I know I will not find code reviews at each artifact release version that has been reviewed by the NCC group, Google project zero, etc... FWIW it could be said that most of the software in use today is untrusted in that regard, even the most commonly used browsers. Some may think browsers have so many eyes on them that a subtle weakness could not be introduced but I also disagree with that. A more widely used application is an even bigger juicy delicious target for nation state actors to get employed and introduce multiple subtle changes that work in conjunction with one another and OS design flaws. I would wager that every browser has malicious actors either contributing subtle weaknesses or possibly sleeping until they are given orders.
If you were forced to step back and rank the features on your phone you found most important, ones you couldn't live without, not mere conveniences, you would find it's only a few main things. Securing those things can be achieved with simple, free, auditable, reproduceable, off the shelf tools, they just lack the conveniences that we get from the corporate apps with masses of random developer add-ons.
I use voice and text. I've only had a smart phone for a couple years and I hate it. Whoever it was here that gave me the nickname Jethro Gibbs was right. I am currently looking for a real for really real dumb phone that can do VoWifi basically SIP over ipsec because my LTE coverage is awful. I do not consider anything related to wireless to be secure as it is closed source and the carriers care not about their customers. source: I worked for one and helped build out their network They can't even kick China back out of the FBI lawful intercept API's, even to this day.
I place a lot of the blame for the success of this phishing attack with how the Chrome Web Store, and Google more broadly, is operated.
If you train your developers that you are willing to unilaterally and suddenly disable published extensions for editorial, non-security-related reasons (which the article's screenshots indicate was the excuse) - and that it's completely expected that such an action might occur on Christmas, and a well-founded one based on history - that's a poor developer experience.
And on top of that, if Google has the ability for an OAuth app to get extension upload permissions, without screaming as part of the OAuth authorization process "This will provide third parties unrelated to Google the ability to update extensions. Be sure that this is intended." - then that is bad OAuth design that exacerbates the above problem.
If you're designing a software supply chain, and you have a choice to allow updates over API, the onus is on you to either ensure your authentication UX causes spear phishing targets to think twice before they let themselves get pwned. And I get that there are certainly different teams working on the OAuth frontend and the Chrome Web Store backend - but if the backend team doesn't have the willpower and/or ability to have red-teamed this exact spear phishing situation, and have escalated their security concerns to the frontend team, that's an organizational failure.
14 comments
[ 3.0 ms ] story [ 47.5 ms ] thread> GraphQL Network Inspector
It's been fully patched since: https://github.com/warrenday/graphql-network-inspector/issue...
Which is why you shouldn't use them.
Installed programs are the weakest link in the security of an OS like windows - should users not use programs? Users are just as likely to download a sketchy program as a sketchy extension, is that not even more severe of a risk?
User education and better marketplace policing are the solution, not silly blanket statements like that.
I agree with this however that would limit just about all software unless it has been properly and deeply inspected by people paid to do just this. If I go through the project pages of all the software that comes with Linux I know I will not find code reviews at each artifact release version that has been reviewed by the NCC group, Google project zero, etc... FWIW it could be said that most of the software in use today is untrusted in that regard, even the most commonly used browsers. Some may think browsers have so many eyes on them that a subtle weakness could not be introduced but I also disagree with that. A more widely used application is an even bigger juicy delicious target for nation state actors to get employed and introduce multiple subtle changes that work in conjunction with one another and OS design flaws. I would wager that every browser has malicious actors either contributing subtle weaknesses or possibly sleeping until they are given orders.
If you train your developers that you are willing to unilaterally and suddenly disable published extensions for editorial, non-security-related reasons (which the article's screenshots indicate was the excuse) - and that it's completely expected that such an action might occur on Christmas, and a well-founded one based on history - that's a poor developer experience.
And on top of that, if Google has the ability for an OAuth app to get extension upload permissions, without screaming as part of the OAuth authorization process "This will provide third parties unrelated to Google the ability to update extensions. Be sure that this is intended." - then that is bad OAuth design that exacerbates the above problem.
If you're designing a software supply chain, and you have a choice to allow updates over API, the onus is on you to either ensure your authentication UX causes spear phishing targets to think twice before they let themselves get pwned. And I get that there are certainly different teams working on the OAuth frontend and the Chrome Web Store backend - but if the backend team doesn't have the willpower and/or ability to have red-teamed this exact spear phishing situation, and have escalated their security concerns to the frontend team, that's an organizational failure.
Amazing.
What do you think - what is more risky: a) manual update (and risk of 0day attacks) or b) auto-update (and risk supply-chain attacks)?