Ir al contenido principal

Ralsina.Me — El sitio web de Roberto Alsina

Security Cargo Cults

Ear­lier I men­tio­ned a ha­ck I use when I need to get a clean bro­w­ser qui­ck. He­re it is agai­n:

rm -f ~/.config/ralsina/devicenzo.conf
curl | python

Sin­ce that got pos­ted on re­ddit (no, not li­nking it), it tri­gge­red "in­te­res­tin­g" ar­gu­men­ts. Ba­si­ca­lly many we­re sho­cked (sho­cked) about run­ning ar­bi­tra­ry in­ter­net co­de lo­ca­lly in this man­ne­r. It's in­se­cu­re. Whi­le I am by no means a se­cu­ri­ty ex­per­t, at least I know I am ig­no­ran­t.

Le­t's exa­mi­ne that in­se­cu­ri­ty claim a li­ttle, in the con­text of what I was pro­po­sin­g. I am tr­ying to te­ll peo­ple "he­re's a sma­ll web bro­w­ser that re­qui­res no se­tup and sin­ce it's not your main bro­w­se­r, you can nuke it and re­set its sta­te ea­si­ly be­fo­re run­ning it, like this".

So, wha­t's wrong wi­th doing it that wa­y, ac­cor­ding to the co­m­men­ter­s:

It's insecure because you can't see the code before running it because it's piped.

We­ll, that makes it exac­tly as in­se­cu­re as eve­ry un­sig­ned bi­na­ry you ever do­wn­loade­d. Or, le­t's be ho­nes­t, eve­ry she­ll scrip­t, py­thon scrip­t, perl script etc you ha­ve ever do­wn­loade­d. Or you au­dit the­m?

Who exac­tly is being pre­ven­ted from au­di­ting it by ha­ving it pre­sen­ted this wa­y? Is the in­ter­sec­tion of "peo­ple who can au­dit this scrip­t" and "po­ple who do­n't un­ders­tand pi­pes" not emp­ty?

For tho­se who can au­di­t, this makes no di­ffe­ren­ce. For tho­se who can't au­di­t, this makes no di­ffe­ren­ce.

It would be better if I provided a hash of the file to know it's not tampered

And how would you know the hash is not tam­pe­re­d? Wat you wan­t, rea­lly is a di­gi­tal sig­na­tu­re of the scrip­t.

If you trust google (and usua­ll­y, peo­ple do­), then you know tha­t:

  1. The script was uploaded by me (che­­ck the his­­to­­­ry of the fi­­le)

  2. The script has not been ta­m­­pe­­red from the re­­po (si­n­­ce it's a se­­cu­­re co­n­­ne­c­­tion and ye­s, the­­re is a hash of the re­­vi­­sio­­n)

If you do­n't trust google, then you do­n't know who uploaded it, and if you do­n't trust me, you do­n't ca­re who uploaded it, even if it's sig­ned (be­cau­se it's sig­ned by so­meo­ne you do­n't trus­t).

How does the user know it's not malware?

He does­n'­t. Li­fe is like tha­t.

Why should the user trust you?

He should­n'­t. OTOH, we­re he so in­cli­ne­d, he can che­ck who wro­te it, and that I am a real per­so­n, wi­th a long his­to­ry of sha­ring co­de on­li­ne and no clai­ms of ever pus­hing ma­lwa­re.

This is more insecure because it downloads on every run

You do­n't need to run ma­lwa­re mo­re than on­ce, an­ywa­y. So, not mu­ch of a di­ffe­ren­ce.

This propagates bad habits

So does Dunki­n' Do­nu­ts, and noone pos­ts about it at re­ddi­t. But in any ca­se, su­re, it's a bad ha­bi­t. Big dea­l.

So, is it se­cu­re? He­ll no! Is it sig­ni­fi­can­tly le­ss se­cu­re than ins­ta­lling a ran­dom PPA you see men­tio­ned in a fo­ru­m? Ma­y­be sli­gh­tl­y. Is it le­ss se­cu­re than run­ning ran­dom un­sig­ned bi­na­rie­s? He­ll no. Is it le­ss se­cu­re than do­wn­loading and run­ning it? No. Is it le­ss se­cu­re than buil­ding a ran­dom thing from sour­ce? He­ll no.

But is it le­ss se­cu­re than the other rea­lis­tic wa­ys in whi­ch I can gi­ve you a 100+ li­ne chunk of py­thon co­de that wo­rks as a web bro­w­se­r? I do­n't thi­nk so.

In the con­text of "he­re's the co­de for it, it can do this", this is not sig­ni­fi­can­tly in­se­cu­re. It's mo­re or le­ss as in­se­cu­re as the al­ter­na­ti­ve­s. Wi­th the ad­van­ta­ge tha­t, if you wan­t, you can au­dit it. It's 128 li­nes of co­de (a­s­su­ming you trust Qt and Py­Qt and Py­tho­n, etc)

So the­re.

Contents © 2000-2023 Roberto Alsina