|
redleader posted:dunno what timeline you come from, but over here that's fine and expected yeah each digit in their market cap confers additional rights y’all just lucky fbook hasn’t started using liters of blood for identity verification
|
# ? Aug 31, 2019 12:57 |
|
|
# ? May 2, 2024 02:51 |
|
Wiggly Wayne DDS posted:i want to say we're a few steps past your regular crash reporting when you're uploading per-user system libraries quietly in the background without any informed consent and on top of that, the facebook app is usually pre-installed on androids with no option to remove it.
|
# ? Aug 31, 2019 19:37 |
|
is it OK for them to upload their own memory image, including mapped system libraries? which libraries would it not be OK for them to include in that memory image? how would you design a privilege to allow users control over what system libraries can be mapped into a given application’s process, if it’s important to keep some applications from being able to read them? what harm would you be preventing with that privilege?
|
# ? Aug 31, 2019 21:40 |
|
why is uploading libraries bad?
|
# ? Aug 31, 2019 22:00 |
pseudorandom name posted:why is uploading libraries bad?
|
|
# ? Aug 31, 2019 22:37 |
|
Facebook doesn’t get the benefit of the doubt. if they’re uploading random bits of data from people’s phones that aren’t obviously necessary for their app’s practical purposes of sharing baby photos and dumb political memes, I’m going to assume it’s malicious even if I can’t immediately figure out how
|
# ? Aug 31, 2019 22:44 |
|
but they already know who you are, you’ve logged into the Facebook app and the set of libraries on a device isn’t unique enough to identify a person
|
# ? Aug 31, 2019 22:45 |
|
It doesn't matter. Facebook does not get the benefit of the doubt. They're untrustworthy.
|
# ? Aug 31, 2019 22:51 |
|
so why weren’t people worried about the app being able to read all those libraries before? they could easily fingerprint without uploading the raw data the crash reporter also uploads system information, btw. I thought this was well-known!
|
# ? Aug 31, 2019 23:42 |
|
it's very weird to upload arbitrary system libraries in the background rather than in response to a crash report. yes there's more ways to fingerprint, but the core reason for this doesn't look to be diagnostic it goes back to "because we can" and no one seems to have asked if they should. we already know there isn't a limit to the data gathering operations, but maybe a drop of restraint would be good to see?
|
# ? Sep 1, 2019 00:23 |
|
"more data is always better" - facebook, probably
|
# ? Sep 1, 2019 00:26 |
|
if the system library doesn't match an existing hash, uploading it would definitely be valuable.
|
# ? Sep 1, 2019 00:58 |
|
https://twitter.com/troyhunt/status/1167973598163660800 The forums subdomain has been available on http only (no https) since forever. The login/password pages were also http only. I actually poked the site's tech guy about that a while back and he said he spent a day trying to install certs but it was 'too hard'. Apparently he didn't care about keeping the software up to date either.
|
# ? Sep 1, 2019 08:25 |
|
Subjunctive posted:is it OK for them to upload their own memory image, including mapped system libraries? which libraries would it not be OK for them to include in that memory image?
|
# ? Sep 1, 2019 10:13 |
|
evil_bunnY posted:it’s not so much the library map uploading as much as knowing fb would use it to assist fingerprint unsuspecting users first chance they got, and doing it silently, in the background, instead of when crashing. explain how having the entire binary helps with fingerprinting beyond having the, you know, fingerprints? Stick Insect posted:and on top of that, the facebook app is usually pre-installed on androids with no option to remove it. really nefarious, cutting a deal with the manufacturer, who picks and installs the system libraries, to get an app installed on the handset which they use to steal info on what system libraries it has installed. the perfect plan. still, this is absolutely yet another reason to not run any facebook-made app, and it is at minimum a bit shady a thing to do, but i really haven't heard an explanation of the actually shady usecase for it that measures up to "facebook wants to run their testsuite on the apps in each environment they are deployed, but android installs are a shitshow of hacked up esoteric variants impossible to get a hold of, so they try to recreate them based on what actually gets loaded on user systems". Cybernetic Vermin fucked around with this message at 10:27 on Sep 1, 2019 |
# ? Sep 1, 2019 10:24 |
|
it'd still be real problematic even if they were only uploading the library hashes, hth
|
# ? Sep 1, 2019 11:53 |
|
I hope they only upload libraries when on a wifi connection, because some of those libraries can be pretty large
|
# ? Sep 1, 2019 12:09 |
Cybernetic Vermin posted:explain how having the entire binary helps with fingerprinting beyond having the, you know, fingerprints? Remember, most people don't realize all of those apps are the same company and that they're currently in the business of unifying the infrastructure of those services to make it easier for them to track people by aggregating data, and possibly to make them harder to break up. This is the same company which has shown itself again and again to not only not care about users, but to actively desire to gently caress with users and their emotional status in search of ways to maximize their own profit, and which acts as if they're completely beyond the pale because it is a company that, unlike most other tech companies, is majority-controlled by a completely unethical and hypocritical excuse for a human.
|
|
# ? Sep 1, 2019 12:22 |
|
Carbon dioxide posted:https://twitter.com/troyhunt/status/1167973598163660800 this is hilarious, since installing an ssl cert is intern level easy.
|
# ? Sep 1, 2019 12:52 |
|
Certbot even does the config for you ffs
|
# ? Sep 1, 2019 12:53 |
|
lol even something awful, home of radium, is https now. there’s no loving excuse
|
# ? Sep 1, 2019 13:00 |
|
Carbon dioxide posted:The forums subdomain has been available on http only (no https) since forever. The login/password pages were also http only. I actually poked the site's tech guy about that a while back and he said he spent a day trying to install certs but it was 'too hard'. Why are you spending time at the xkcd forums?
|
# ? Sep 1, 2019 13:15 |
|
I don't, I just 'know' the tech guy on IRC. BTW, the passwords in the forums leak were MD5 hashed.
|
# ? Sep 1, 2019 13:23 |
|
how many of the passwords were correcthorsebatterystaple
|
# ? Sep 1, 2019 13:25 |
|
Carbon dioxide posted:BTW, the passwords in the forums leak were MD5 hashed. I mean, good old "milliseconds til decrypted: 5" is better than plaintext but ...
|
# ? Sep 1, 2019 13:45 |
|
Carbon dioxide posted:I don't, I just 'know' the tech guy on IRC. no salt too eh
|
# ? Sep 1, 2019 15:55 |
|
No idea
|
# ? Sep 1, 2019 16:11 |
|
Subjunctive, are you really going to defend FB again?
|
# ? Sep 1, 2019 16:11 |
|
I can't wait for someone to try and sue FB over reverse engineering/"decrypting" a library of theirs that got uploaded. There's got to be a minefield of compliance issues involved in this.
|
# ? Sep 1, 2019 17:11 |
|
did you guys forget who subjunctive is lmao
|
# ? Sep 1, 2019 19:31 |
|
if I was responsible for getting an Android app for a combination genocide merchant and surveillance/advertising firm working in two billion android shitphones I’d want to be able to figure out why their libsqlite3 crashes when the app does X but I’m not because working for a combination genocide merchant and surveillance/advertising firm is bad
|
# ? Sep 1, 2019 20:32 |
|
Taps fucked around with this message at 05:43 on Sep 3, 2019 |
# ? Sep 1, 2019 22:37 |
|
Taps posted:n Do you need a shrubbery?
|
# ? Sep 1, 2019 23:46 |
|
https://twitter.com/dnsprincess/status/1168274528650301441?s=21
|
# ? Sep 2, 2019 04:07 |
|
wifi inspectah deck, tha mystery of wardrivin’
|
# ? Sep 2, 2019 07:12 |
|
Xarn posted:Subjunctive, are you really going to defend FB again? I’m not defending them at all. I would have benefited from similar system visibility when I was working on detecting FB-targeted malware deployed against journalists and activists, and when dealing with dozens of “can’t happen” bugs from people with hosed up Android installs, but I wasn’t dumb enough to ask for it or build it. I’ve also navigated around the edges of system info collection for Firefox and jumbled masses of plugins, and also didn’t build that collector, for similar reasons I’m asking about the security characteristics of the activity, because we’re in the security thread and there are lots of other places for “lol, FB did a thing” shitposting. it’s obvious that it’s at least bad optics, whatever the intent, so there didn’t seem much point belabouring that element. did I miss my part of the chant? (crash reporting is silent, though, if people have illusions otherwise, and the reports can be triggered when something like a deadlock or other bug state occur. crashes are just one kind of bug detection, they don’t have any special privacy or security characteristics. Chrome does the same thing I’m pretty sure. it certainly used to, and breakpad probably still has support for snapshotting uncrashed state. I don’t know what triggers the GLC harvesting here; for all I know it’s part of reporting a crash, since that whole process was deferred until after the next startup)
|
# ? Sep 2, 2019 09:11 |
|
https://twitter.com/itswillis/status/1168543167219716096
|
# ? Sep 2, 2019 16:56 |
|
if you would all be so kind as to help me pre-empt a secfuck, I’m trying to figure out how to configure ingress for my home network so that I can get various flavours of HTTPS and ssh and MQTT/SQS. which of these is a better choice, or which trade offs am I not seeing? feel free to banish me to the grey thread if this is boring 1: forward ports from my router directly to the docker containers, one per inbound service? VPN in a container, if algo works that way 2: forward ports from my router to some nginx proxy container and then to each service, to protect against...??? I guess I could IP-restrict the ones that I know have limits or do some sanity checking on the requests, but would I really bother? VPN in a container 3: VPN on my EdgeRouter, droplet or whatever that tunnels in and forwards ports via proxy. I’m not sure the latest EdgeOS supports all the best algo settings. means I have an easy off switch for everything that’s forwarded, but I can still VPN directly in 4: burn it all down and raise goats (ideally I could some of the services on vlans Internally but I’m not sure quite how that would work)
|
# ? Sep 2, 2019 17:51 |
|
what kind of goats
|
# ? Sep 2, 2019 17:54 |
|
|
# ? May 2, 2024 02:51 |
|
breed of goats is important here. e: Wiggly Wayne DDS posted:what kind of goats So, you have a couple options: If this is a cloud provider you are trying to provide acces to, setting up an IPSEC tunnel (VPN) would be perfectly acceptable, barring that, IP restrictions of what can contact what service via port forewarding is also acceptable. The nginx method would work as well, but you'd need to maintain/patch/monitor the nginx dispatch for intrusions. Really, as long as you are using a IP whitelist to ensure only services/ips/ports you approve of reach it, it should be fine to expose them. Ideally, you want to have any exposed services going through some sort of WAF or via Cloudflare to shield you, but I know that isn't always possible. Caveat: SSH should always be behind a VPN. Always. If you need to publicly expose SSH, setup port knocking and write a port knock script to do so, and only allow a single remote session. Leaving SSH available openly is just asking for trouble. That's what I did for backup access to my network in case my OpenVPN vm goes belly up. Also, setup the Google MFA PAM plugin for SSH, and only used shared keys with a passphrase. CommieGIR fucked around with this message at 18:06 on Sep 2, 2019 |
# ? Sep 2, 2019 17:56 |