Slides with images and no text are a nightmare for non visual person like myself. I see text: I remember text. I see image: I remember exactly nothing.
As someone who owns multiple WP installs, I have added "define( 'WP_AUTO_UPDATE_CORE', true );" to all my wp-config.php files so that all my installs automatically self update with ALL future updates, minor & major
It is great in theory. In practice, the last auto-update caused a WSOD on my site without any helpful debug log (both on WP and server log) until I manually disabled a (popular) plugin by editing its php file.
I wonder how a less tech-savy person would have resolved that. Even being tech-savy, I had to ask someone for help.
Updates of core and plugins are always very scary to me.
It's a system that's based on trust, but the auto-update that is active in WordPress has saved millions of sites of getting hacked in the last few weeks: https://ma.ttias.be/in-defence-of-wordpress/
As soon as something major breaks by those auto-updates, the trust is over and a lot of users will disable it. That would be a shame indeed, because besides a couple of WSOD's some users may experience, it's an extremely powerful feature.
Super neat. It's a real bummer that you only got a handful of upvotes after two submissions :( I for one will definetely pimp this towards other SQL noobs like me.
Yes, I'm wondering if "mocha" was just most guessed.
Also, didn't anyone at CSAIL write a simple bot to try all the coffee types (eg the list here - http://en.wikipedia.org/wiki/List_of_coffee_drinks)? Or perhaps the most prolific link follower did but just disguised it well??
In order to rule out _simple_ guesses you could have used a code after the coffee name - "/mocha64", "/espresso42", etc.. Without that any analysis of the geographic preference is immediately muddied. Could have chalked the entire board as a giant QR code .. obviously you'll need to design a chalk board plotter first.
QR was also a first thought that came to my head. You could also use simple, popular and unrelated words, i.e.: sock, mind, late etc. as well as provide hints that it's actually Chalk (!) Chase not guessing game.
It all boils down to the fact the you "didn’t really have any concrete hypotheses".
However it's interesting. It would be great to find out the conditions in which people will be most engaged in looking for the next info. But there would be sooo many variables to control ...
Yeah, in hindsight, it would have been a good idea to have hard-to-guess URLs to help with controls. I like the idea of using URLs like "/mocha64" -- could have kept the theme of coffee while filtering out some noise in the data.
There are so many variables to control, things that I hadn't thought about before writing the URLs. The guessable URL part was perhaps one that I should have caught, but there were so many other things. I know that people did things like taking pictures of the boards and sending them to social group chats that they were part of, which is something I never thought of before seeing/hearing about it happening on Friday.
I'm pretty sure nobody tried using a bot, which is pretty surprising. After I saw people interpreting the thing as a puzzle, I thought that I'd get bots for sure.
Even the most prolific link follower looked at only ~150 links, and looking at timestamp information and the content of the guesses themselves, it doesn't seem like it was a bot.
I fail at seeing the XKCD principle here. Instead of something memorable yet secure, the default settings got me "24!live!MARKET!page!22" which is higly unmemorable.
Sounds cool but I think the WordPress implementation is TERRIBLE: it depends on a WordPress fork that is completely outdated, instead of downloading an up-to-date fresh archive.
I agree -- the current WordPress package needs work. Thank you for trying it and looking into it!
Community-wise, one thing we're going to need, as Sandstorm grows, is an ecosystem of app package maintainers. Part of what we're hoping is that more developers of the apps themselves will maintain the Sandstorm ports, like Audrey Tang is maintaining the EtherCalc port.
Tech-wise, one thing we're going to need is a solid story for how Sandstorm packages will easily stay up to date with the latest changes as the upstream author releases new updates.
I work on+for Sandstorm, and I'm also a Debian developer. Debian is not a shining example with regard to either of the above, and I'm sure we can do even better at Sandstorm.
It's not currently possible to run arbitrary Docker containers through Sandstorm, since we prefer app packages (we call them SPKs) to be:
* Self-contained -- if the app needs MySQL, bundle it;
* Able to run with external network access unavailable -- this improves security, since even if an app gets compromised, it's not a big deal since it can't leak any data out to the world;
and a few other constraints that are more technical than philosophical.
We actually don't want apps to bundle MySQL -- we'd prefer they use sqlite. :) But the point is, it's up to the app. The app gets a slice of filesystem and they can use whatever infrastructure they want to store stuff to it.
We want the experience for users to be install app, use app, without worrying about setting up databases and such. We also want to enforce isolation between apps so one app cannot access another's data, and that's a lot easier to do if they aren't sharing a database. Considering these desires, it makes sense to say that apps should simply bundle their database of choice.
Even so, I don't see how you could distinguish between a compromised app sending data to the outside world and an uncompromised app doing the same as part of its normal operation.
That's just marketing bullshit. Unless the API is magic (and I don't mean advanced technology "magic" but Harry Potter "magic") it has no way of knowing what the application is allowed to send or not and therefor cannot filter. It's like saying it cannot leak data because it has to use HTTP.
> Unless the API is magic (and I don't mean advanced technology "magic" but Harry Potter "magic") it has no way of knowing what the application is allowed to send or not and therefor cannot filter.
You're assuming that Sandstorm apps have arbitrary IP network access. They do not.
Sandstorm is based on capability-based security. Any outgoing request has to be addressed to a capability representing some specific permission that the user has granted to the app. A capability might point to another app, or it might point to a specific external host that the user has designated.
More specifically, a Sandstorm app's only connection to the outside world is through Cap'n Proto RPC, which is an object-capability protocol, meaning that an app can only send requests to objects to which it has explicitly received a reference.
Of course, for backwards-compatibility, we have translation layers so that apps written to use regular old HTTP need not be entirely rewritten. You just have to tweak it to make the correct permissions request first, which has proven not very hard in practice.
Note that Sandstorm is still in development and for the moment we've created a hack to allow ttrss to make arbitrary HTTP requests in order to update feeds.
However, in a few more months this won't be necessary. Instead, when you click "subscribe to feed", the app will call a method on the Sandstorm API saying "Prompt the user for a URL and then give me permission to access it". So, you'll get a dialog box to enter the URL rendered by Sandstorm itself. If you enter a URL, it's plainly obvious that you want the app to have permission to fetch it, so Sandstorm grants said permission. We call this UI the "powerbox".
Notice how the UX here is equivalent to what we have today, where the app renders its own prompt. This technique of inferring security decisions from actions the user was doing anyway is the core of how we plan to implement tight security without inconveniencing the user.
I've been using TinyTinyRSS on Sandstorm for a while. It even has a mobile app that works with Sandstorm's API. (Though it's a fork, not the official Play Store version.)
Sandboxed applications literally cannot send any data by default. They can't open a connection to <whatever server>, no matter what protocol.
The goal, once they've built their Powerbox, is to then implement a set of protocol drivers which the application can use. So it still can't connect to arbitrary servers, but it can ask the user for permission to, say, connect via SMTP to <wherever>, and the user has control over that.
Yes, they could leak anything that you put in them if you allow them to connect to someone you don't trust. However, even if you do so once, most applications will be per-document - you have an instance of your document editor for each document, and they don't know anything about any other documents you have.
In short: applications can only leak what you give them, and only to people you say to give them to. They can't call back to home base without your permission or the permission of someone you've given the app permission to contact. So for all reasonable definitions of "cannot leak data", applications cannot leak data without your permission.
It's worth keeping covert and side channels in mind, though: e.g. an instance can leak bits by timing variations. Capability security is a big big deal, a qualitative change in the game, but I think this comment is over-promising things.
Yes, covert side channels should always be assumed to be possible.
However, there are two reasons I think you don't need to worry about them too much:
1) They'll typically be fairly expensive and low-bandwidth.
2) They're unambiguously malicious. This is not a technical barrier to using them, but it's a huge political barrier. Today, major developers will happily stick covert statistics gathering into their code, and then when called out on it, will make some contrived argument about how it benefits users (if that's true, why don't you ask them first?) and how it's mentioned in the privacy policy so therefore it's legit. OTOH, you can't exploit a covert channel in Sandstorm and then plausibly claim you haven't done anything wrong.
Some hardcore security nerds will of course scoff at this argument, and to them I can only say: "OK, yes, there are possibly covert channels, sorry. Please don't put sensitive data into an app you don't trust."
A theoretical long-term solution is deterministic computing, but that probably requires apps to be written in a different language or be run in a heavy-handed VM. Not practical at the moment.
It's also worth noting that Sandstorm is designed to make it impossible for an app to leak capabilities via covert channels. They can only leak bits, and a capability is not just bits.
Yep, good points; I just think the GP was too absolute. It's good to hear Sandstorm's built on object capabilities instead of password capabilities; since I wasn't sure I didn't get into that, or deafening (determinism to eliminate side channels into a process; I gather that outward is much harder to control).
* Backend: Due to Linux network namespaces, the app can't communicate with the network (except over "sandstorm-http-bridge" which allows it to respond to inbound HTTP requests).
* Frontend: Due to Content-Security-Policy, the client part of the app can't communicate with any hostname other than the one the app runs on. The CSP header is set by Sandstorm, not the app.
So then it has no network access, and therefore even if it is compromised, can't leak anything.
This does hinge on the app's dynamic code only being run for logged-in users. For many apps -- imagine a Google Docs spreadsheet only accessible to people within your domain -- this is a pretty straightforwardly reasonable model. Sandstorm handles authentication for apps, so it can enforce this even if the app is 0wned.
An app does not have the ability to edit who has permissions to itself. In order to add yourself as an admin of some app, you'd have to compromise Sandstorm, not the app.
I'm not sure how that is supposed to work. You would have to rewrite every webapp so that it's data can be protected by sandstorm. Which seems hugely impractical. And as long as the webapp has access to it compromising it will compromise the data.
Not "rewrite". You do have to tweak apps to be Sandstorm-appropriate, but it's usually somewhere between five minutes and a couple days of work. Namely:
* Delete the login system and use Sandstorm's. If you build on Meteor, for instance, this is a simple matter of swapping dependencies.
* Delete your sharing system. If the app hosts multiple things that can be independently shared, change it to host only one such thing. The user can create multiple instances of the app and using Sandstorm's sharing. This is probably the hardest part, but we've done it for several apps now without too much trouble. Since it's largely deleting code, it's not very difficult.
* Find the places where your app connects to the outside world and insert a bit of code to make a Sandstorm powerbox request to get permission first, then address the requests to that permission.
None of this involves "rewriting". We have 20+ apps on the Sandstorm app list, most of which were ported by two people who certainly didn't have time to rewrite each one.
I've ported apps to Sandstorm with literally no prior experience with the languages those apps were written in. Porting to Sandstorm involves more deleting stuff you don't need than actually writing code yourself. :D
The only "everything" you should be able to get, if the security is correct, is for the app you compromised, not the other ones running on Sandstorm. No, it does not magically secure applications put behind it (though IIRC it does put a couple of useful tweaks in place, but that's all it can do), but it can prevent "I compromised your WordPress and stole your entire machine's contents."
It's because of Sandstorm's security as a platform. Apps cannot see each other's files on disk, because each one runs in a container with only their own subdirectory mapped in.
