[HN Gopher] I discovered a critical exploit in ZeroMQ with mostl...
___________________________________________________________________
I discovered a critical exploit in ZeroMQ with mostly pure luck
Author : fangpenlin
Score : 115 points
Date : 2024-04-08 15:28 UTC (3 days ago)
(HTM) web link (fangpenlin.com)
(TXT) w3m dump (fangpenlin.com)
| FabHK wrote:
| Meta comment on this (excellent) article: I liked the memes _and_
| the accessibility-friendly captions thereof.
| eddd-ddde wrote:
| Now I'm really curious how blind people experience memes. Like
| if you read "cat at table meme" is it funny in it's own way?
| starttoaster wrote:
| I imagine there's some amount of conditioning (for lack of a
| better word), and some amount of how well the meme author
| annotated it. Mostly just postulating, with a small amount of
| experience having been an assistant to a blind person for a
| short stint. But I imagine you're onto something, that as
| people who experience memes visually, we'd find the meme's
| description less funny than someone who relied on that
| description to experience the comedic effect of the meme;
| they might just use their imagination to fill in the gaps
| more naturally than we do. But there are of course limits to
| what details we can divine from our imagination, so I imagine
| there's a lot of memes where blind people are left
| contextless unfortunately.
|
| I don't know that everyone has one of these. But the
| professor I assisted for that aforementioned short stint also
| had a special braille printer, of course. I believe these
| printers have since advanced to the point of being able to
| render photos in a sort of limited fashion where the paper is
| indented to contour to lines. I believe there are also
| tactile tablets now for the visually disabled.
| theamk wrote:
| I find any sort of animated pictures next to the text supremely
| annoying. I had to scroll the text to keep them out of the
| screen just so I could read in peace.
|
| And yet you liked it... I wonder if this is a generational
| thing (I was born in 1980's)? Or "I don't run adblocker" thing?
| arcanemachiner wrote:
| We should start a club.
|
| In the meantime, I just use an image blocker extension when I
| encounter those articles.
|
| My mobile browser (Cromite on Android, Chromium fork) also
| has a setting to toggle images, which is also good.
| teslabox wrote:
| This was not "pure luck". Reminded me of that quote about chance
| favoring the prepared:
|
| "Dans les champs de l'observation le hasard ne favorise que les
| esprits prepares." -Louis Pasteur In the fields
| of observation chance favours only the prepared mind.
|
| Variant translations of this or similar statements include:
| Chance favors the prepared mind. Fortune favors the
| prepared mind. In the field of observation, chance
| favors the prepared mind. Where observation is
| concerned, chance favors only the prepared mind.
|
| https://en.wikiquote.org/wiki/Louis_Pasteur#Quotes
|
| edit: "Louis Pasteur's quote "Chance favors the prepared mind"
| means that the better prepared and more knowledgeable you are,
| the more you'll be able to take advantage of any chance
| opportunities or observations.
|
| "If you are unaware of things that influence a situation or an
| event, you are very unlikely to be able to identify any
| opportunity or learn anything significantly new. By having
| insight, interest, and aptitude related to the situation, you put
| yourself in the position to capitalize upon any hidden "nuggets"
| buried at the moment."
|
| - https://asymmetric.pro/chance-favors-the-prepared-mind/
| pstrateman wrote:
| One the bug is in curbezmq not zmq.
|
| Two do not expose zmq to untrusted networks.
|
| edit: lol their website doesn't even have a valid cert
| http://curvezmq.org/
| lambdaxyzw wrote:
| > Two do not expose zmq to untrusted networks
|
| one: Is this documented somewhere? I use zeromq for the
| (internal, but by design usually accessible on the public
| internet) API of my project
|
| two: what happened to zero trust? Every network is untrusted.
| samtheprogram wrote:
| > internal, but by design usually accessible on the public
| internet
|
| Your API can be accessible obviously, but put ZeroMQ behind a
| firewall so only the API server can reach it.
|
| If it's running on the same server, at least block the port
| ZeroMQ is listening on from the outside world.
| fragmede wrote:
| People make fun of Kubernetes or "resume driven
| development" for making things more complex than they need
| to be, but this is why you want mTLS via a sidecar with
| short auto renewed certificates on a mesh inside your
| distributed system of a operating stack, when the system is
| big enough to justify that complexity. Something the size
| of, like, Airbnb should have that.
| theamk wrote:
| Or a wireguard VPN. Or even just socat with mTLS inside
| systemd.
|
| There are easier ways to achieve that than kubernetes
| with sidecar mesh.
| pstrateman wrote:
| I don't know if the ZMQ people have ever admitted to it, but
| you'd be crazy to expose ZMQ to the public internet.
| mynameisvlad wrote:
| This is the equivalent to "trust me bro".
|
| Do you have any specific reasons why this is a bad idea?
| Especially if it's been secured, as the article implies it
| was.
| smueller1234 wrote:
| Zeromq will have changed a lot since then, but some time in
| the 2010s, I prototyped a system using it (which was going to
| be a major production system in a large tech company) and had
| weird unexpected blocking issues with it. To debug, I sat
| down to read a bunch of the zeromq code, just to realize that
| it was using assert() to handle wire protocol errors
| (unrelated to the blocking bug).
|
| I've never dropped a piece of software as quickly as that.
| rcxdude wrote:
| More or less my experience as well. Asserting on bad user
| configuration, asserting on OS errors that weren't in a
| particular list. I followed their recommendation of having
| a "small, simple, reliable" broker and it kept crashing on
| asserts in the library at the worst times.
| theamk wrote:
| I normally assume that any software which is not specifically
| designed to be exposed to internet, should not be exposed.
|
| Security is hard, and proxies/VPNs are cheap.
| 28mm wrote:
| Evidently it has never had such a certificate:
| https://crt.sh/?q=curvezmq.org
| theogravity wrote:
| The Elliptic Curve Cryptography article (mentioned in the ZeroMQ
| article) the author wrote is really good:
|
| https://fangpenlin.com/posts/2019/10/07/elliptic-curve-crypt...
| chrisweekly wrote:
| I love how they wanted to learn about ECC and decided to write
| the book they wished existed. What a perfect mindset.
| fovc wrote:
| > As a software engineer, I am lazy, so I always love to reuse
| existing tools as much as possible... That's why I decided to
| take the chance to learn how Elliptic Curve Cryptography works.
|
| Imagine if they weren't lazy!
| jakjak123 wrote:
| I have worked with non-lazy engineers too. The amount of
| convoluted barely working franken stuff they come up with is
| staggering. No obstacle will stop them from digging the hole
| deeper.
|
| Nah, they are alright. The real issue is they are so busy
| working, they never stop to really think about what they are
| building.
| kvmet wrote:
| This is why teams need both. Relentless, obsessive people are
| great for the things that need it. Most stuff is usually fine
| to just do the lazy way though and move on.
| bullfightonmars wrote:
| Different definitions of lazy.
|
| * lazy - wants do as little work in the future as possible
| and so spends extra time now solving the problem the right
| way.
|
| * lazy - has no consideration for the future and takes a
| straight line path to solving the problem now. Spends all
| future time fixing problems created from this approach.
| winwang wrote:
| Well said! Have not seen the tension expressed in this
| way before.
| verst wrote:
| I'm of the first type - which I call "busyness in the
| pursuit of eventual laziness" :)
| twodave wrote:
| There's a subset of the second definition where you
| delegate all the future fixing time to some unfortunate
| young developers, both wasting their time and tainting
| their souls in the process.
| jart wrote:
| > Reading code is underrated, and many software engineers don't
| understand how and why they should read it. Reading code is much
| harder than writing code because writing code translates your
| thoughts into code, and reading code is the opposite.
|
| That's like saying reading Hamlet is harder than writing it. What
| kind of garbage do you have to be filling your head with all day
| to hold such a dismal opinion of software?
| Zambyte wrote:
| Proprietary enterprise production code
| ok123456 wrote:
| The modal programmer barely reads stack traces that tell them
| where exactly something is happening, even when it tells them
| exactly the mistake they're making.
|
| Digging into other people's code, reading it, and having enough
| education and context to understand why they did things a
| certain way is an even rarer skill.
| icedchai wrote:
| Yep. Problem solving, debugging, and diagnostic skills are
| often non existent. "It doesn't work. Can you take a look?"
| ok123456 wrote:
| I'd be pretty rich if I got $0.01 every time I was asked
| that.
|
| Also, it gives you the heuristics to decide if a code base
| is crazy and not redeemable.
| hobs wrote:
| If you didn't get at least 1c per question like that,
| raise your rates!
| floating-io wrote:
| Reading most code is more akin to reading Hamlet fan fiction.
| chrisweekly wrote:
| Fantastic post, I loved everything about it. Fang-Pen, I'm
| interested in your book but it's apparently only 16% complete, is
| that right? In any case nice find, thanks for sharing, and please
| keep writing! :)
___________________________________________________________________
(page generated 2024-04-11 23:00 UTC)