Posts by fugueish@infosec.exchange
(DIR) Post #AZb9MP2hCF5y7ftIcC by fugueish@infosec.exchange
2023-09-09T17:20:42Z
0 likes, 0 repeats
@maruel @zekjur I think that discussion predates me. I think the kernel does matter: Zircon is smaller, designed for privilege reduction, and implemented by people working hard to respond to security problems.
(DIR) Post #AZb9MPVPTU41YjKEN6 by fugueish@infosec.exchange
2023-09-09T05:03:11Z
0 likes, 0 repeats
For a long time, we were unhappy about having to spend so much time on each of our various Raspberry Pis, taking care of security updates and other general Linux distribution maintenance.Then, we had a crazy idea: what if we massively reduced the overall system complexity by getting rid of all software we don’t strictly need, and instead built up a minimal system from scratch entirely in Go, a memory safe programming language?https://gokrazy.org/
(DIR) Post #AZd0kGMkb3FWtLUg1Q by fugueish@infosec.exchange
2023-09-08T20:49:38Z
0 likes, 0 repeats
Chesterton's Fence is just reactionary jibber-jabber, and not good engineering advice. If he loved his fence so much, he should have documented and tested it.
(DIR) Post #AZgRRO8OlmZPigsvGC by fugueish@infosec.exchange
2023-09-12T05:03:58Z
0 likes, 0 repeats
All my Gen-X senses started to tingle.https://www.mcsweeneys.net/articles/an-open-letter-to-the-pair-of-gen-z-men-in-the-northeast-regional-quiet-car-loudly-discussing-pitchforks-100-best-albums-of-all-time
(DIR) Post #AaVmPHLf5sO2i0nx6e by fugueish@infosec.exchange
2023-09-21T18:04:47Z
0 likes, 1 repeats
These 3 things are related:https://www.whitehouse.gov/oncd/briefing-room/2023/08/10/fact-sheet-office-of-the-national-cyber-director-requests-public-comment-on-open-source-software-security-and-memory-safe-programming-languages/https://support.apple.com/en-us/HT213926https://www.open-std.org/jtc1/sc22/wg21/docs/papers/2023/p2759r0.pdfThe disregard for safety of all kinds that is endemic in C/C++ is having human rights and foreign policy implications way above the level of engineers who have built little fiefdoms on quicksand.
(DIR) Post #AaVmPJrHlGs4UfcEfw by fugueish@infosec.exchange
2023-09-21T18:39:17Z
0 likes, 0 repeats
https://www.cisa.gov/news-events/news/urgent-need-memory-safety-software-products (by @boblord)
(DIR) Post #AatGMtU95a7pCa14b2 by fugueish@infosec.exchange
2023-10-18T03:36:28Z
1 likes, 0 repeats
@lcamtuf The uBlock guy ended up admitting that Manifest v3, which addresses the security concerns pretty well, can work. uBlock Lite is the one. I wrote my own which is ultra-minimal and blocks well enough. (You just give it a list of URL patterns in the Mv3 URL pattern language.)
(DIR) Post #AbO5xpYYsf5oPRN2H2 by fugueish@infosec.exchange
2023-10-10T00:34:59Z
0 likes, 1 repeats
To that end, we have rewritten the Android Virtualization Framework’s protected VM (pVM) firmware in Rust to provide a memory safe foundation for the pVM root of trust. This firmware performs a similar function to a bootloader, and was initially built on top of U-Boot, a widely used open source bootloader. However, U-Boot was not designed with security in a hostile environment in mind, and there have been numerous security vulnerabilities found in it due to out of bounds memory access, integer underflow and memory corruption. Its VirtIO drivers in particular had a number of missing or problematic bounds checks. We fixed the specific issues we found in U-Boot, but by leveraging Rust we can avoid these sorts of memory-safety vulnerabilities in future. The new Rust pVM firmware was released in Android 14.https://security.googleblog.com/2023/10/bare-metal-rust-in-android.html
(DIR) Post #AbPRi74EOtFaEb3PyS by fugueish@infosec.exchange
2023-08-30T23:57:52Z
0 likes, 1 repeats
The first stable release of a memory-safe implementation of sudo: https://www.memorysafety.org/blog/sudo-first-stable-release/
(DIR) Post #AbPRi9H4C8hp4z4hG4 by fugueish@infosec.exchange
2023-08-30T23:59:10Z
0 likes, 0 repeats
Using a memory safe language (Rust), as it's estimated that one out of three security bugs in the original sudo have been memory management issuesLeaving out less commonly used features so as to reduce attack surfaceDeveloping an extensive test suite which even managed to find bugs in the original sudo
(DIR) Post #AbYU3dJXeP9geuFCNs by fugueish@infosec.exchange
2023-11-07T06:47:23Z
0 likes, 0 repeats
@ondra @sereeena Agree with those. Also here is a big one (sorry): installed/windowed apps aren't available as Share targets on Android Chrome. A small one (Android):Copy a URL to share it in another app.Swipe over to that app, share Swipe back to Chrome. You have to swipe left twice, not once, to fully dismiss the Omnibox and get back to reading the page. I wish I only had to swipe once.
(DIR) Post #AbZWFZtYaC3qb0sCq8 by fugueish@infosec.exchange
2023-11-07T18:43:08Z
0 likes, 1 repeats
Particularly exciting, to me at least: https://chromium.googlesource.com/chromium/src/+/main/docs/security/research/graphics/webgpu_technical_report.md
(DIR) Post #Ac5UK5GRAXjBpVlkrQ by fugueish@infosec.exchange
2023-11-23T04:55:20Z
0 likes, 1 repeats
WordPerfect, Wordstar, Word: What You See Is What You Get (WYSIWYG)roff, troff, groff: What You Get Is, Thank Gourd, Entirely Unrelated To What You SeeTeX: underfull hbox badness 10,000
(DIR) Post #Ac7AUSUY3RyhzuxWRk by fugueish@infosec.exchange
2023-11-23T22:58:29Z
0 likes, 0 repeats
@slightlyoff @nf3xn I love the idea that the dash is the deal-breaker. Settle down 😂
(DIR) Post #AcYMwpFPUHJhOr5afQ by fugueish@infosec.exchange
2023-12-07T02:50:16Z
0 likes, 1 repeats
Imma let you finish, but tmux is the greatest systemd of all TIMEEEEEE
(DIR) Post #Acca3vQPt5mtDq29po by fugueish@infosec.exchange
2023-12-09T03:16:20Z
0 likes, 0 repeats
For my [redacted]th birthday a few weeks back, I decided to finally use a real IDE, after decades of using 1970s technology. I am now using technology that was current when I was really into Duran Duran!
(DIR) Post #Acca3xJOs9Mb4elaAy by fugueish@infosec.exchange
2023-12-09T03:35:28Z
0 likes, 0 repeats
@patrickod Call me a cyber-goat, but I am actually enjoying VS Code?!
(DIR) Post #Acca3yzccejOHtWocq by fugueish@infosec.exchange
2023-12-09T03:44:32Z
0 likes, 0 repeats
@patrickod In another 10 years, maybe I'll use a real debugger instead of printf...no
(DIR) Post #AcoPvP8pMlXT8PckwS by fugueish@infosec.exchange
2023-12-14T21:00:19Z
1 likes, 0 repeats
1995: "We have invented HTML and JavaScript! They aren't quite as good as HyperCard, but the awesome power of HTTP and the Internet makes up for it"Everybody: woo hoo! Fuck yes!2023: "Showing text on the screen is an unsolved Hard Problem"Everybody: ...
(DIR) Post #AdYVK2lyVMhUdN7Jku by fugueish@infosec.exchange
2024-01-06T02:44:17Z
0 likes, 1 repeats
Chrome vs Firefox when it comes to Reader Mode: not even close.It's been like this for years. Chrome should just remove the feature completely if they aren't going to support it/make it work at all.There's no shame in just saying "we're not doing that feature, we're doing other stuff"! It's ok. But don't raise a pop-up for a feature that has never worked.