diff --git a/content/posts/floss-security.gmi b/content/posts/floss-security.gmi index 129230e..e5cccec 100644 --- a/content/posts/floss-security.gmi +++ b/content/posts/floss-security.gmi @@ -2,8 +2,8 @@ I find it easy to handle views different from my own. I feel more troubled when It's no secret that I'm a passionate supporter of software freedom: I've written two posts about how Free, Libre, and Open-Source Software (FLOSS) is necessary but insufficient to preserve user autonomy: -=> ./../../../2021/01/27/whatsapp-and-the-domestication-of-users.gmi Whatsapp and the Domestication of Users -=> ./../../../2021/02/23/keeping-platforms-open.gmi Keeping Platforms Open +=> ./../../../2021/01/27/whatsapp-and-the-domestication-of-users.gmi Whatsapp and the domestication of users +=> ./../../../2021/02/23/keeping-platforms-open.gmi Keeping platforms open After two posts spanning over 5000 words, I need to add some nuance. diff --git a/content/posts/floss-security.md b/content/posts/floss-security.md index 61cf521..06dfa82 100644 --- a/content/posts/floss-security.md +++ b/content/posts/floss-security.md @@ -11,8 +11,8 @@ I find it quite easy to handle views different from my own. I feel more troubled It's no secret that I'm a passionate supporter of software freedom: I've written two posts about how Free, Libre, and Open-Source software (FLOSS) is necessary but insufficient to preserve user autonomy: -1. **[Whatsapp and the Domestication of Users](./../../../2021/01/27/whatsapp-and-the-domestication-of-users.html)**
The phenomenon of a class of predatory businesses models I call "user domestication" and defense measures: FLOSS, open platforms, and simplicity. -2. **[Keeping Platforms Open](./../../../2021/02/23/keeping-platforms-open.html)**
How open platforms can lose their openness, and what measures can prevent this. The Web, XMPP, email, and Matrix are examples that highlight both sides of the issue. +1. **[Whatsapp and the domestication of users](./../../../2021/01/27/whatsapp-and-the-domestication-of-users.html)**
The phenomenon of a class of predatory businesses models I call "user domestication" and defense measures: FLOSS, open platforms, and simplicity. +2. **[Keeping platforms open](./../../../2021/02/23/keeping-platforms-open.html)**
How open platforms can lose their openness, and what measures can prevent this. The Web, XMPP, email, and Matrix are examples that highlight both sides of the issue. After two posts spanning over 5000 words, I need to add some nuance. @@ -85,7 +85,7 @@ For more information, we turn to [**core dumps**](https://en.wikipedia.org/wiki/ #### Dynamic analysis example: Zoom -In 2020, Zoom Video Communications came under scrutiny for marketing its "Zoom" software as a secure, end-to-end encrypted solution for video conferencing. Zoom's documentation claimed that it used "AES-256" encryption. Without source code, did we have to take the docs at their word? +In 2020, Zoom Video Comm­unications came under scrutiny for marketing its "Zoom" software as a secure, end-to-end encrypted solution for video conferencing. Zoom's documentation claimed that it used "AES-256" encryption. Without source code, did we have to take the docs at their word? [The Citizen Lab](https://citizenlab.ca/) didn't. In April 2020, it published [a report](https://citizenlab.ca/2020/04/move-fast-roll-your-own-crypto-a-quick-look-at-the-confidentiality-of-zoom-meetings/) revealing critical flaws in Zoom's encryption. It utilized Wireshark and [mitmproxy](https://mitmproxy.org/) to analyze networking activity, and inspected core dumps to learn about its encryption implementation. The Citizen Lab's researchers found that Zoom actually used an incredibly flawed implementation of a weak version of AES-128 (ECB mode), and easily bypassed it. @@ -151,12 +151,12 @@ Fuzzing frequently catches bugs that are only apparent by running a program, not If you want to get started with fuzzing, I recommend checking out [the quick-start guide for American Fuzzy Loop](https://github.com/google/AFL/blob/master/docs/QuickStartGuide.txt). Some languages like Go 1.18 also have fuzzing tools available right in the standard library. -### Example: CVE-2022-0185 +### Example: CVE-2022-0185 -A recent example of how fuzzing helps spot a vulnerability in an open-source project is [CVE-2022-0185](https://www.openwall.com/lists/oss-security/2022/01/18/7): a Linux 0-day found by the Crusaders of Rust a few weeks ago. It was discovered using the [syzkaller](https://github.com/google/syzkaller) kernel fuzzer. The process was documented on Will's Root: +A recent example of how fuzzing helps spot a vulnerability in an open-source project is [CVE-2022-0185](https://www.openwall.com/lists/oss-security/2022/01/18/7): a Linux 0-day found by the Crusaders of Rust a few weeks ago. It was discovered using the [syzkaller](https://github.com/google/syzkaller) kernel fuzzer. The process was documented on Will's Root:

- CVE-2022-0185 - Winning a $31337 Bounty after Pwning Ubuntu and Escaping Google's KCTF Containers by {{

I _highly_ encourage giving it a read; it's the perfect example of fuzzing with sanitizers to find a vulnerability, reproducing the vulnerability (by writing a tiny C program), _then_ diving into the source code to find and fix the cause, and finally reporting the issue (with a patch!). When source isn't available, the vendor would assume responsibility for the "find and fix" steps. @@ -174,7 +174,7 @@ I readily concede to several points in favor of source availability from a secur - Closed-source software may or may not have builds available that include sanitizers and debug symbols. - Although fuzzing release binaries is possible, fuzzing is much easier to do when source code is available. Vendors of proprietary software seldom release special fuzz-friendly builds, and filtering out false-positives can be quite tedious without understanding high-level design. - It is certainly possible to notice a vulnerability in source code. Excluding low-hanging fruit typically caught by static code analysis and peer review, it's not the main way most vulnerabilities are found nowadays (thanks to {{}} for [reminding me about what source analysis does accomplish](https://lemmy.ml/post/167321/comment/117774)). -- Software as a Service can be incredibly difficult to analyze, as we typically have little more than the ability to query a server. Servers don't send core dumps, server-side binaries, or trace logs for analysis. Furthermore, it's difficult to verify which software a server is running.[^14] For services that require trusting a server, access to the server-side software is important from both a security and a user-freedom perspective +- Software as a Service can be incredibly difficult to analyze, as we typically have little more than the ability to query a server. Servers don't send core dumps, server-side binaries, or trace logs for analysis. Further­more, it's difficult to verify which software a server is running.[^14] For services that require trusting a server, access to the server-side software is important from both a security and a user-freedom perspective Most of this post is written with the assumption that binaries are inspectable and traceable. Binary obfuscation and some forms of content protection/DRM violate this assumption and actually do make analysis more difficult. @@ -189,8 +189,8 @@ Whether or not the source code is available for software does not change how ins Both Patience and {{}} argue that given the above points, a project whose goal is maximum security would release code. Strictly speaking, I agree. Good intentions don't imply good results, but they can _supplement_ good results to provide some trust in a project's future. -Conclusion ----------- +Con­clusion {#conclusion} +--------------- I've gone over some examples of how analyzing a software's security properties need not depend on source code, and vulnerability discovery in both FLOSS and in proprietary software uses source-agnostic techniques. Dynamic and static black-box techniques are powerful tools that work well from user-space (Zoom) to kernel-space (Linux) to low-level components like Intel ME+AMT. Source code enables the vulnerability-fixing process but has limited utility for the evaluation/discovery process. diff --git a/content/posts/permissions-policy-floc-misinfo.md b/content/posts/permissions-policy-floc-misinfo.md index 41a2b61..6daf51c 100644 --- a/content/posts/permissions-policy-floc-misinfo.md +++ b/content/posts/permissions-policy-floc-misinfo.md @@ -7,7 +7,7 @@ outputs: - html - gemtext footnote_heading: Notes -title: "Misinformation about Permissions Policy and FLoC" +title: "Misinfo about Permissions Policy and FLoC" --- _Update: I've amended this post with a valid reason to use the header. More info at the bottom._ diff --git a/content/posts/whatsapp-and-the-domestication-of-users.md b/content/posts/whatsapp-and-the-domestication-of-users.md index 8a8a8ce..6c334b9 100644 --- a/content/posts/whatsapp-and-the-domestication-of-users.md +++ b/content/posts/whatsapp-and-the-domestication-of-users.md @@ -22,7 +22,7 @@ WhatsApp wasn't the first instant messenger of its kind, and probably won't be t With the meta-explanation out of the way, let us begin. -WhatsApp's rise +Whats­App's rise {#whatsapps-rise} --------------- For those unfamiliar, WhatsApp is a tool that makes it convenient and easy to help Facebook further its core mission: the optimization and auctioning of human behavior (colloquially known as "targeted advertising"). It originally persuaded people to consent to this by allowing them to send text to each other over the Internet, something that was [already possible](https://en.wikipedia.org/wiki/Comparison_of_instant_messaging_protocols), and combining an easy-to-learn UI with successful marketing. It then expanded to include features such as free voice and video calls. Free calls helped it grow to become the de-facto communication platform many regions. I'm stunned at its ubiquity every time I visit my extended family in India; I'm frequently greeted by looks of confusion when I remind them that I don't use WhatsApp.