@rootkovska @micahflee Hi there! In @gnome we are doing a lot of work to sandbox things and solve the root cause for this kind of problem. We'd love to hear about these bugs from researchers first, instead of depending on hardening-after-the-fact downstreams like Subgraph and Qubes to push bug reports to us.
Example conversation I'd like to happen around this bug: purpose of .desktop files vs. filename spoofing; executing code you downloaded; sandboxing all executions by default.
Also, the Subgraph reaction has been baffling. They:
1. Ignored Micah's report for 2 weeks (which he gave them to patch) & did nothing to resolve the problem,
2. Downplayed/denied the bug once it got published: https://twitter.com/bleidl/status/851849723002703873
3. Falsely implied that the bug affected QubesOS: https://twitter.com/bleidl/status/851851948710141952
4. Finally patched: https://twitter.com/subgraph/status/852000407253594114
About the Subgraph attack:
1. The main problem that @micahflee exploited is the unfortunate decision made by Subgraph OS to keep Gnome/Nautilus in the TCB *and* letting this complex software process *untrusted* files,
2. The specific Nautilus bug (handling of .desktop files) is just *one* example of what could go wrong in this case,
3. We can think of other potential problems (e.g. Thumbnails processing)
4. More details: https://micahflee.com/2017/04/breaking-the-security-model-of-subgraph-os/
Here's a video demonstration of the exploit https://www.youtube.com/watch?v=SVsllZ7g7-I
I've published a technical explanation of how to get unsandboxed arbitrary code execution in Subgraph OS, and how this attack compares with Qubes https://micahflee.com/2017/04/breaking-the-security-model-of-subgraph-os/ cc @rootkovska
Mastodon's federation introduces UX challenges.
One that worries me a lot is about message forgery. Anyone can forge a twoot, even cross-server.
Whereas Twitter Inc might be trustworthy enough to not forge transcripts. Anyone can run a Mastodon server and might want to abuse it to influence people (see Russian troll campaigns).
Should Mastodon "home servers" cryptographically sign updates? Should there be end-to-end signatures? Anyone has thoughts on this?
@femme @bcrypt Subgraph has a lot thicker layers on top of grsec than Qubes does on top of Xen, because grsec itself doesn't provide isolation. You have to build a sandbox yourself (in SG's case, Oz). So I don't think that grsec bugs are a proxy for SG bugs in the same way Xen bugs are a proxy for Qubes bugs.
But I think the bigger thing, for me, is that Qubes is flexible in ways Subgraph isn't. Like, it's simple to run N different Signal Desktops in different sandboxes, or manage multiple identities in separate whonix VMs, or have vaults to store secret data in, etc.
In case there are any Qubes OS users here: we just released Qubes Security Bulletin #29 for a critical Xen bug in PV memory virtualization allowing VM escape (XSA-212):
@rootkovska Thanks for the primer — I signed up mostly to get the green check mark.
Ok, it's really me: https://twitter.com/rootkovska/status/849199108111958016
Server run by the main developers of the project It is not focused on any particular niche interest - everyone is welcome as long as you follow our code of conduct!