this post was submitted on 16 Sep 2024
27 points (100.0% liked)

TechTakes

1397 readers
68 users here now

Big brain tech dude got yet another clueless take over at HackerNews etc? Here's the place to vent. Orange site, VC foolishness, all welcome.

This is not debate club. Unless it’s amusing debate.

For actually-good tech, you want our NotAwfulTech community

founded 1 year ago
MODERATORS
 

Need to let loose a primal scream without collecting footnotes first? Have a sneer percolating in your system but not enough time/energy to make a whole post about it? Go forth and be mid: Welcome to the Stubsack, your first port of call for learning fresh Awful you’ll near-instantly regret.

Any awful.systems sub may be subsneered in this subthread, techtakes or no.

If your sneer seems higher quality than you thought, feel free to cut’n’paste it into its own post — there’s no quota for posting and the bar really isn’t that high.

The post Xitter web has spawned soo many “esoteric” right wing freaks, but there’s no appropriate sneer-space for them. I’m talking redscare-ish, reality challenged “culture critics” who write about everything but understand nothing. I’m talking about reply-guys who make the same 6 tweets about the same 3 subjects. They’re inescapable at this point, yet I don’t see them mocked (as much as they should be)

Like, there was one dude a while back who insisted that women couldn’t be surgeons because they didn’t believe in the moon or in stars? I think each and every one of these guys is uniquely fucked up and if I can’t escape them, I would love to sneer at them.

Last week's thread

(Semi-obligatory thanks to @dgerard for starting this)

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 7 points 1 month ago* (last edited 1 month ago)

OK I might have been a little too harsh, but the security requirements of a browser are higher than pretty much any other piece of software except perhaps for operating system code, emails, or text messages. As a serious player in the browser space it is not optional to get the basic security model / architecture right. This isn't a matter of a bug slipping through (which can happen to anyone), but the system being designed wrong. Hopefully this company has learned their lesson, treats it with the care it deserves going forward, and bring some diversity to the browser market.

Anyway that said let's look at how this was a colossal bug:

  1. The browser required an account hosted on a cloud to use. This is a central point of failure, and cloud is overrated, so should be opt-in.
  2. The browser allowed arbitrary script injection into any webpage based on this cloud account. This is a central point of failure, and goes directly against browser security model so should be opt-in.
  3. The developers did not recognize how dangerous the above was, so perhaps did not treat the back-end with the paranoia it deserved.

Compare Firefox I have an extension that allows for arbitrary CSS injection, but this extension isn't cloud based. So this class of vulnerability isn't possible in the first place, and also it is an extension I opted into and can enable selectively on specific sites instead of globally.