Developers should be required to add flags to allow reading/writing to disk. i.e. choose —-insecure-disk—access or —-allow-read=/myapp
I hate the idea of making things a tiny bit more difficult for beginner developers, but what is the alternative?
zxvkhkxvdvbdxz 21 days ago [-]
A reasonable alternative would be for the app to have no permissions and request permissions from the OS that would either deny access or prompt the user.
Most apps have no business outside their own data/cache folders.
I think the Apple implementation is a good start.
hulitu 16 days ago [-]
> A reasonable alternative would be for the app to have no permissions and request permissions from the OS that would either deny access or prompt the user.
A reasonable alternative would be for the app to have no access to the internet and work freely with the available files, just like before. Why must every app be an RCE vector ?
halJordan 21 days ago [-]
And yet, everyone hates snap
bayindirh 21 days ago [-]
snap is being hated for different reasons. Namely a closed backend, a walled garden, and packages pushed down the throats of users for “creating a positive pressure on the Snap team to do a good job”.
the_plus_one 21 days ago [-]
This is more on the user end, but there's ways for users to isolate programs in such a way that this malware wouldn't have access to e.g. browser files and cryptocurrency wallets, some more effective/practical than others. Virtual machines, containers, jails, chroots, etc.
I think one example of what you're talking about can be seen on Android. The developer has to explicitly declare permissions (like file access) in the manifiest, and the user has to explicitly approve it.
Rendello 21 days ago [-]
I like the interface of OpenBSD's `pledge` and `unveil`:
It's interesting that the malware is based on Node. A person trying to solve the take-home using Deno would have needed to pass flags similar to the ones mentioned[1] and perhaps have caught the problem immediately.
Ok, then every developer picks --insecure-disk-access. Now what?
zxvkhkxvdvbdxz 21 days ago [-]
It's depressing that using Firefox is becoming security by obscurity.
wildzzz 21 days ago [-]
Yeah I've got zero interest in running a web3-enabled browser. Until my landlord requires payment in crypto, I'll just keep to investing in traditional markets and spending fiat.
21 days ago [-]
supriyo-biswas 21 days ago [-]
I wonder if I have to start working on take home problems inside a VM because it might potentially have malware in it.
Although, given the number of features being asked to implement, I'd probably have passed on this one.
djaouen 21 days ago [-]
Even North Koreans hate Windows. Or are at least branching out to Mac and Linux. Lol
zxilly 21 days ago [-]
I'm not quite sure what the RAT refers to in the article.
abound 21 days ago [-]
Remote Access Trojan
halJordan 21 days ago [-]
Remote access tool. There are plenty of legitimate uses of rats, and given that its no longer the 90s the rat and the trojan are separate programs in almost non-toy implementation
I hate the idea of making things a tiny bit more difficult for beginner developers, but what is the alternative?
Most apps have no business outside their own data/cache folders.
I think the Apple implementation is a good start.
A reasonable alternative would be for the app to have no access to the internet and work freely with the available files, just like before. Why must every app be an RCE vector ?
I think one example of what you're talking about can be seen on Android. The developer has to explicitly declare permissions (like file access) in the manifiest, and the user has to explicitly approve it.
https://awesomekling.github.io/pledge-and-unveil-in-Serenity...
[1] https://docs.deno.com/runtime/fundamentals/security/
Although, given the number of features being asked to implement, I'd probably have passed on this one.