Brief items

Security quotes of the week

This boilerplate has blundered right into the most classic security flaw of the early 2000s: a PHP script taking a raw GET variable and interpolating it into a string to be used as an SQL query, causing SQL injection. It's hard to blame PHP beginners for making this mistake, because the PHP documentation and ecosystem is setting them up to fail. Now PHP's notorious propensity for security issues is infecting even non-human life.

Furthermore, when prompted with shell_exec(), Copilot was happy to pass raw GET variables to the command line.

Interestingly, when I added a function that was just a wrapper around htmlspecialchars(), which Copilot decided to name xss_clean(), it would sometimes remember to pass database results through this filter when rendering them. But only sometimes.

— "0xabad1dea" tries out GitHub Copilot

"Enter Anom ID" and a password, the screen reads. Hidden in the calculator is a concealed messaging app called Anom, which last month we learned was an FBI honeypot. On Anom, criminals believed they could communicate securely, with the app encrypting their messages. They were wrong: an international group of law enforcement agencies including the FBI were monitoring their messages and announced hundreds of arrests last month. International authorities have held press conferences to tout the operation's success, but have provided few details on how the phones actually functioned.

Motherboard has obtained and analyzed an Anom phone from a source who unknowingly bought one on a classified ads site. On that site, the phone was advertised as just a cheap Android device. But when the person received it, they realized it wasn't an ordinary phone, and after being contacted by Motherboard, found that it contained the secret Anom app.

— Joseph Cox [If the links fail, disabling Privacy Badger may "fix" it.]

Comments (11 posted)

Kernel release status

The current development kernel is 5.14-rc1, released on July 11. Linus said:

On the whole, I don't think there are any huge surprises in here, and size-wise this seems to be a pretty regular release too. Let's hope that that translates to a nice and calm release cycle, but you never know.

Stable updates: the small 5.12.16, 5.10.49, 5.4.131, 4.19.197, 4.14.239, 4.9.275, and 4.4.275 updates were released on July 11.

The truly massive 5.13.2, 5.12.17, 5.10.50, and 5.4.132 updates followed on July 14. When asked why these updates were so large, Greg Kroah-Hartman responded:

They show the problem that we currently have where maintainers wait at the end of the -rc cycle and keep valid fixes from being sent to Linus. They "bunch up" and come out only in -rc1 and so the first few stable releases after -rc1 comes out are huge. It's been happening for the past few years and only getting worse. These stable releases are proof of that, the 5.13.2-rc release was the largest we have ever done and it broke one of my scripts because of it :(

Comments (none posted)

Quotes of the week

EternalBlue (WannaCry) was a horrific Windows exploit in that it shows us pretty well what kind of cyberweapons the intelligence agencies of the world have been constructing and stockpiling, and probably also used. We need to put countermeasures where such exploits are likely to hit, yesterday. Intuitively I would say any in-kernel network daemons, anything complex that responds directly to network traffic, is a good thing to fix. I do not know why people are so hung up on device drivers

— Linus Walleij

But enterprise distros really are a small market these days, a rounding error compared to Android phones, so maybe we just ignore what they do as it's a very tiny niche market these days? :)

— Greg Kroah-Hartman

Comments (none posted)

Solus 4.3 released

Version 4.3 of the Solus "home computing" distribution has been released. "This release delivers new desktop environment updates, software stacks, and hardware enablement."

Comments (none posted)

Tails 4.20 is out

Tails is a privacy focused distribution and Tails 4.20 "completely changes how to connect to the Tor network from Tails" with the new Tor Connection assistant.

This new assistant is most useful for users who are at high risk of physical surveillance, under heavy network censorship, or on a poor Internet connection:

• It protects better the users who need to go unnoticed if using Tor could look suspicious to someone who monitors their Internet connection (parental control, abusive partner, school or work network, etc.).

• It allows people who need to connect to Tor using bridges to configure them without having to change the default configuration in the Welcome Screen.

• It helps first-time users understand how to connect to a local Wi-Fi network.

• It provides feedback while connecting to Tor and helps troubleshoot network problems.

Comments (none posted)

Distribution quote of the week

Having run CentOS Stream 8 for two years now, I feel that it's a solid experience and most people aren't going to have issues with it after upgrading from classic CentOS 8. And frankly, it's nice having people respond to my bug reports and actually *do* something about it. Strictly speaking, that's an upgrade from the experience with classic CentOS 8.

— Neal Gompa

Comments (none posted)

Announcing Arti, a pure-Rust Tor implementation (Tor blog)

The Tor project, which provides tools for internet privacy and anonymity, has announced a rewrite of the Tor protocols in Rust, called Arti. It is not ready for prime time, yet, but based on a grant from Zcash Open Major Grants (ZOMG), significant work is ongoing; the plan is "to try bring Arti to a production-quality client implementation over the next year and a half". The C implementation is not going away anytime soon, but the idea is that Arti will eventually supplant it. The project sees a number of benefits from using Rust, including:

For years now, we've wanted to split Tor's relay cryptography across multiple CPU cores, but we've run into trouble. C's support for thread-safety is quite fragile, and it is very easy to write a program that looks safe to run across multiple threads, but which introduces subtle bugs or security holes. If one thread accesses a piece of state at the same time that another thread is changing it, then your whole program can exhibit some truly confusing and bizarre bugs.

But in Rust, this kind of bug is easy to avoid: the same type system that keeps us from writing memory unsafety prevents us from writing dangerous concurrent access patterns. Because of that, Arti's circuit cryptography has been multicore from day 1, at very little additional programming effort.

Comments (109 posted)

Firefox 90 released

Version 90 of the Firefox browser is out. The headline feature this time around, beyond working links in PDF output, is a new version of the SmartBlock feature which appears to have been designed with a specific goal in mind: "Third-party Facebook scripts are blocked to prevent you from being tracked, but are now automatically loaded 'just in time' if you decide to 'Log in with Facebook' on any website."

Comments (3 posted)

Development quote of the week

There's a reasonable counter argument about equality here. How much GPL-influenced code is going to end up in proprietary projects when compared to the reverse? It's not an easy question to answer, but we should bear in mind that the majority of public repositories on Github aren't under an open source license. Copilot is already claiming to give us access to the concepts embodied in those repositories. Do these provide more value than is given up? I honestly don't know how to measure that. But what I do know is that free software was founded in a belief that software shouldn't be constrained by copyright, and our default stance shouldn't be to argue against the idea that copyright is weaker than we imagined.

— Matthew Garrett

Comments (8 posted)