Another reason is that the official Firefox builds for at least GNU/Linux doesn't employ standard exploit mitigations (stack canaries, position independent code, read-only GOT).
One of those groups is Global Cyber Allience (GCA): "GCA, a 501(c)3, was founded in September 2015 by the Manhattan District Attorney’s Office, the City of London Police and the Center for Internet Security."…
> Quicklisp is de-facto the only widely used library manager in Common Lisp world, and so it’s written in Common Lisp and doesn’t have any tests. It’s a wonder for me how it’s not breaking! Quicklisp also downloads and…
> In case of Maven - and likely most others - packages are not even digitally signed by the publisher Last time I explored the atrocious state of language-specific package managers, Maven Central was (and I'm guessing…
The ISP in question is in Turkey, so it should probably be noted that the Turkish government has a root cert trusted by both Mozilla and Microsoft. https://ccadb-public.secure.force.com/mozilla/IncludedCACert...…
Had a quick glance and your code is littered with unchecked function calls and potential overflows. Also: Cookie:../../../<filename> Where <filename> is a file starting with a value that's interpreted as a valid uid by…
https://libreboot.org/faq.html#what-other-firmware-exists-ou...
> What is the boundary, in digital devices, between hardware and software? It follows from the definitions. Software is the operational part of a device that can be copied and changed in a computer; hardware is the…
it should be noted that nightmare isn't safe for untrusted websites: https://github.com/segmentio/nightmare/issues/1060
how does debian developers independently building on their machines help? if anything it adds another point of failure. if you trust upstream enough to run their code, you implicitly trust the state of their hardware…
huh? "when will we finally throw away binary uploads" https://lists.debian.org/debian-devel/2014/02/msg00622.html "For instance, when a maintainer uploads a (portable) source packages with binaries for the i386…
there was a paper published 2008 on the state of linux/bsd package managers. some of the information is outdated (eg. pacman now signs their packages) however it is probably still of interest, esp. with all the…
not necessarily. there are software emulation -- examples would be W^X on OpenBSD[1] and Grsecurity/PaX on linux[2]. Ubuntu[3] and RedHat[4] also has (partial) NX-emulation thanks to ExecShield. As for OpenBSD and Linux…
you bet? yet in your previous comment you stated it as a fact
no. did you read the first paragraph? > FreeBSD lacks basic low-level exploit mitigation, such as Address Space Layout Randomization (ASLR) the whitepaper you linked was published in 2014 by Shawn Webb, one of the…
why not freebsd? the freebsd project seem to focus exclusively on post-attack with jails and trustedbsd mac. fbsd has not implemented any of the modern exploit mitigation techniques. i mean, even os x has had full aslr…
...and could software deployed to the device by some random who just exploited some well-known security flaw that never got patched, kill people?
using software with known problems in order to avoid potential problems from an upgrade does not seem like a non-bad decision
and what about security updates to the snakeoil they sell, eg. https://bugs.chromium.org/p/project-zero/issues/detail?id=69...
stability /or/ security? because a box running code with bugs that may result in a thwarted control flow is the pinnacle of stability? your firewall won't help against socket re-use; and most configs won't stop…
It should be noted that "The packages and ports collection does NOT go through the same thorough security audit that is performed on the OpenBSD base system." -- http://www.openbsd.org/faq/faq15.html
That's a half-truth. Ideally they would, but they don't. vlc 2.2.1 (CVE-2015-5949) php 5.6.18 (CVE-2016-3142, CVE-2016-3141) firefox 44.0.2 (CVE-2016-1969, CVE-2016-1977, CVE-2016-2790, CVE-2016-2791, CVE-2016-2792,…
Using binaries provided by Mozilla is not a good idea (unless they do things differently with the snaps). They are not hardened in any way; ie. no PIE (rendering ASLR pretty much useless), no stack canaries, no relro,…
xombrero depends on webkit. truly minimal? right. oriented towards security? have you not seen how WebKit does security? they wait for dozens of reported vulns before patching/disclosing. nothing that depends on webkit…
And how many times must central repositories be compromised, and vulnerabilities such as this one be disclosed, before people start to realize that /completely/ ignoring the progress of the well-known package managers…
Another reason is that the official Firefox builds for at least GNU/Linux doesn't employ standard exploit mitigations (stack canaries, position independent code, read-only GOT).
One of those groups is Global Cyber Allience (GCA): "GCA, a 501(c)3, was founded in September 2015 by the Manhattan District Attorney’s Office, the City of London Police and the Center for Internet Security."…
> Quicklisp is de-facto the only widely used library manager in Common Lisp world, and so it’s written in Common Lisp and doesn’t have any tests. It’s a wonder for me how it’s not breaking! Quicklisp also downloads and…
> In case of Maven - and likely most others - packages are not even digitally signed by the publisher Last time I explored the atrocious state of language-specific package managers, Maven Central was (and I'm guessing…
The ISP in question is in Turkey, so it should probably be noted that the Turkish government has a root cert trusted by both Mozilla and Microsoft. https://ccadb-public.secure.force.com/mozilla/IncludedCACert...…
Had a quick glance and your code is littered with unchecked function calls and potential overflows. Also: Cookie:../../../<filename> Where <filename> is a file starting with a value that's interpreted as a valid uid by…
https://libreboot.org/faq.html#what-other-firmware-exists-ou...
> What is the boundary, in digital devices, between hardware and software? It follows from the definitions. Software is the operational part of a device that can be copied and changed in a computer; hardware is the…
it should be noted that nightmare isn't safe for untrusted websites: https://github.com/segmentio/nightmare/issues/1060
how does debian developers independently building on their machines help? if anything it adds another point of failure. if you trust upstream enough to run their code, you implicitly trust the state of their hardware…
huh? "when will we finally throw away binary uploads" https://lists.debian.org/debian-devel/2014/02/msg00622.html "For instance, when a maintainer uploads a (portable) source packages with binaries for the i386…
there was a paper published 2008 on the state of linux/bsd package managers. some of the information is outdated (eg. pacman now signs their packages) however it is probably still of interest, esp. with all the…
not necessarily. there are software emulation -- examples would be W^X on OpenBSD[1] and Grsecurity/PaX on linux[2]. Ubuntu[3] and RedHat[4] also has (partial) NX-emulation thanks to ExecShield. As for OpenBSD and Linux…
you bet? yet in your previous comment you stated it as a fact
no. did you read the first paragraph? > FreeBSD lacks basic low-level exploit mitigation, such as Address Space Layout Randomization (ASLR) the whitepaper you linked was published in 2014 by Shawn Webb, one of the…
why not freebsd? the freebsd project seem to focus exclusively on post-attack with jails and trustedbsd mac. fbsd has not implemented any of the modern exploit mitigation techniques. i mean, even os x has had full aslr…
...and could software deployed to the device by some random who just exploited some well-known security flaw that never got patched, kill people?
using software with known problems in order to avoid potential problems from an upgrade does not seem like a non-bad decision
and what about security updates to the snakeoil they sell, eg. https://bugs.chromium.org/p/project-zero/issues/detail?id=69...
stability /or/ security? because a box running code with bugs that may result in a thwarted control flow is the pinnacle of stability? your firewall won't help against socket re-use; and most configs won't stop…
It should be noted that "The packages and ports collection does NOT go through the same thorough security audit that is performed on the OpenBSD base system." -- http://www.openbsd.org/faq/faq15.html
That's a half-truth. Ideally they would, but they don't. vlc 2.2.1 (CVE-2015-5949) php 5.6.18 (CVE-2016-3142, CVE-2016-3141) firefox 44.0.2 (CVE-2016-1969, CVE-2016-1977, CVE-2016-2790, CVE-2016-2791, CVE-2016-2792,…
Using binaries provided by Mozilla is not a good idea (unless they do things differently with the snaps). They are not hardened in any way; ie. no PIE (rendering ASLR pretty much useless), no stack canaries, no relro,…
xombrero depends on webkit. truly minimal? right. oriented towards security? have you not seen how WebKit does security? they wait for dozens of reported vulns before patching/disclosing. nothing that depends on webkit…
And how many times must central repositories be compromised, and vulnerabilities such as this one be disclosed, before people start to realize that /completely/ ignoring the progress of the well-known package managers…