Stubsack: weekly thread for sneers not worth an entire post, week ending Sunday 22 September 2024
Need to let loose a primal scream without collecting footnotes first? Have a sneer percolating in your system but not enough time/energy to make a whole post about it? Go forth and be mid: Welcome to the Stubsack, your first port of call for learning fresh Awful you’ll near-instantly regret.
Any awful.systems sub may be subsneered in this subthread, techtakes or no.
If your sneer seems higher quality than you thought, feel free to cut’n’paste it into its own post — there’s no quota for posting and the bar really isn’t that high.
The post Xitter web has spawned soo many “esoteric” right wing freaks, but there’s no appropriate sneer-space for them. I’m talking redscare-ish, reality challenged “culture critics” who write about everything but understand nothing. I’m talking about reply-guys who make the same 6 tweets about the same 3 subjects. They’re inescapable at this point, yet I don’t see them mocked (as much as they should be)
Like, there was one dude a while back who insisted that women couldn’t be surgeons because they didn’t believe in the moon or in stars? I think each and every one of these guys is uniquely fucked up and if I can’t escape them, I would love to sneer at them.
Meanwhile, over at the orange site they discuss a browser hack: https://news.ycombinator.com/item?id=41597250 As in a hack that gave the attacker control over any user of this particular browser even if they only ever visited innocent websites, only needing to know their user ID.
This is what's known in the biz as a company destroying level fuck-up. I'm not sure this is particularly sneerable or not but I'm just agog at how a company that calls themselves "The Browser Company" can get the basic browser security model so incredibly wrong.
from their Wikipedia page I’m starting to get why I’ve never previously heard of The Browser Company’s browser; it’s about a year old, it’s only for macOS, iOS, and Windows, and it’s just a chromium fork with a Swift UI overtop and extremely boring features you can get with plugins on Firefox without risking getting your entire life compromised (til Mozilla decides that’s profitable, I suppose)
Arc is designed to be an "operating system for the web", and integrates standard browsing with Arc's own applications through the use of a sidebar. The browser is designed to be customisable and allows users to cosmetically change how they see specific websites.
oh fuck off. so what makes something an operating system is:
the whole UI got condensed down into an awkward-looking sidebar that takes up more space instead of a top bar
you can re-style websites (which is the feature that enabled this hack, and which must be one of the most common browser plugins)
you can change the browser’s UI color
it can run “its own applications”? which sounds like a real security treat if they’re running in the UI context of the browser. though to be honest I don’t see why these wouldn’t just be ordinary web apps, in which case it’s just a PWA feature
Hm, I don’t really see the sneer. They wrote a nasty bug, got notified and had a patch out for it within 36h. The remediations look reasonable too: better privacy, less firebase, actual security audits; even the bounty program is probably the right call (but they result in so many shit reports, it’s probably a wash).
I gotta admit I’m kind of partial to them and their browser? It’s the non-Brave one that ships with an Adblocker by default, has much nicer UI than the existing ones, and the sync thing isn’t half bad (if it doesn’t sync security badness to all your instances, ouch). Sure they sound like a cult but I guess that’s how browser dev gets funded since the 1990s.
OK I might have been a little too harsh, but the security requirements of a browser are higher than pretty much any other piece of software except perhaps for operating system code, emails, or text messages. As a serious player in the browser space it is not optional to get the basic security model / architecture right. This isn't a matter of a bug slipping through (which can happen to anyone), but the system being designed wrong. Hopefully this company has learned their lesson, treats it with the care it deserves going forward, and bring some diversity to the browser market.
Anyway that said let's look at how this was a colossal bug:
The browser required an account hosted on a cloud to use. This is a central point of failure, and cloud is overrated, so should be opt-in.
The browser allowed arbitrary script injection into any webpage based on this cloud account. This is a central point of failure, and goes directly against browser security model so should be opt-in.
The developers did not recognize how dangerous the above was, so perhaps did not treat the back-end with the paranoia it deserved.
Compare Firefox I have an extension that allows for arbitrary CSS injection, but this extension isn't cloud based. So this class of vulnerability isn't possible in the first place, and also it is an extension I opted into and can enable selectively on specific sites instead of globally.