Skip to main content

Ralsina.Me — Roberto Alsina's website

Security Cargo Cults

Ear­li­er I men­tioned a hack I use when I need to get a clean brows­er quick. Here it is again:

rm -f ~/.config/ralsina/devicenzo.conf
curl https://devicenzo.googlecode.com/svn/trunk/devicenzo.py | python

Since that got post­ed on red­dit (no, not link­ing it), it trig­gered "in­ter­est­ing" ar­gu­ments. Ba­si­cal­ly many were shocked (shocked) about run­ning ar­bi­trary in­ter­net code lo­cal­ly in this man­ner. It's in­se­cure. While I am by no means a se­cu­ri­ty ex­pert, at least I know I am ig­no­ran­t.

Let's ex­am­ine that in­se­cu­ri­ty claim a lit­tle, in the con­text of what I was propos­ing. I am try­ing to tell peo­ple "here's a small web brows­er that re­quires no set­up and since it's not your main browser, you can nuke it and re­set its state eas­i­ly be­fore run­ning it, like this".

So, what's wrong with do­ing it that way, ac­cord­ing to the com­menter­s:

It's insecure because you can't see the code before running it because it's piped.

Well, that makes it ex­act­ly as in­se­cure as ev­ery un­signed bi­na­ry you ev­er down­load­ed. Or, let's be hon­est, ev­ery shell scrip­t, python scrip­t, perl script etc you have ev­er down­load­ed. Or you au­dit them?

Who ex­act­ly is be­ing pre­vent­ed from au­dit­ing it by hav­ing it pre­sent­ed this way? Is the in­ter­sec­tion of "peo­ple who can au­dit this scrip­t" and "pople who don't un­der­stand pipes" not emp­ty?

For those who can au­dit, this makes no dif­fer­ence. For those who can't au­dit, this makes no dif­fer­ence.

It would be better if I provided a hash of the file to know it's not tampered

And how would you know the hash is not tam­pered? Wat you wan­t, re­al­ly is a dig­i­tal sig­na­ture of the scrip­t.

If you trust google (and usu­al­ly, peo­ple do), then you know that:

  1. The script was up­­load­­ed by me (check the his­­to­ry of the file)

  2. The script has not been tam­pered from the re­po (s­ince it's a se­cure con­nec­­tion and yes, there is a hash of the re­vi­­sion)

If you don't trust google, then you don't know who up­load­ed it, and if you don't trust me, you don't care who up­load­ed it, even if it's signed (be­cause it's signed by some­one you don't trust).

How does the user know it's not malware?

He does­n't. Life is like that.

Why should the user trust you?

He should­n't. OTO­H, were he so in­clined, he can check who wrote it, and that I am a re­al per­son, with a long his­to­ry of shar­ing code on­line and no claims of ev­er push­ing mal­ware.

This is more insecure because it downloads on every run

You don't need to run mal­ware more than on­ce, any­way. So, not much of a dif­fer­ence.

This propagates bad habits

So does Dunk­in' Donut­s, and noone posts about it at red­dit. But in any case, sure, it's a bad habit. Big deal.

So, is it se­cure? Hell no! Is it sig­nif­i­cant­ly less se­cure than in­stalling a ran­dom PPA you see men­tioned in a fo­rum? Maybe slight­ly. Is it less se­cure than run­ning ran­dom un­signed bi­na­ries? Hell no. Is it less se­cure than down­load­ing and run­ning it? No. Is it less se­cure than build­ing a ran­dom thing from source? Hell no.

But is it less se­cure than the oth­er re­al­is­tic ways in which I can give you a 100+ line chunk of python code that works as a web browser? I don't think so.

In the con­text of "here's the code for it, it can do this", this is not sig­nif­i­cant­ly in­se­cure. It's more or less as in­se­cure as the al­ter­na­tives. With the ad­van­tage that, if you wan­t, you can au­dit it. It's 128 lines of code (as­sum­ing you trust Qt and PyQt and Python, etc)

So there.


Contents © 2000-2023 Roberto Alsina