• 2 Posts
  • 39 Comments
Joined 1 year ago
cake
Cake day: August 10th, 2023

help-circle
  • Google put an API into Chrome that sends extra system info but only to*.google.com domains. In every Chromium browser.

    Only vivaldi caught this issue. Brave had this api enabled, most likely on accident.

    But the problem is, that chromium is just such big and complex software, when combined with development being driven by Google, it’s just impossible for any significant changes or auditing to be done by third parties. Google is capable of exteriting control over Brave, simply by hiding changes like above, or by making massive changes like manifest v3, which are expensive for third parties to maintain.

    Brave can maintain 1 big change to chromium, but for how long? What about 2, 3, etc.

    My other big problem with brave is that I see them somewhat mimicking Google’s beginnings. Google started out with 3 things: an ad network, a browser, and a search engine.

    Right now, Brave has those same three things. It feels very ominous to me, and I would rather not repeat the cycle of enshittification that drove me away from chrome and goolgle.







  • sn1per is not open source, according to the OSI’s definition

    The license for sn1per can be found here: https://github.com/1N3/Sn1per/blob/master/LICENSE.md

    It’s more a EULA than an actual license. It prohibits a lot of stuff, and is basically source-available.

    You agree not to create any product or service from any par of the Code from this Project, paid or free

    There is also:

    Sn1perSecurity LLC reserves the right to change the licensing terms at any time, without advance notice. Sn1perSecurity LLC reserves the right to terminate your license at any time.

    So yeah. I decided to test it out anyways… but what I see… is not promising.

    FROM docker.io/blackarchlinux/blackarch:latest
    
    # Upgrade system
    RUN pacman -Syu --noconfirm
    
    # Install sn1per from official repository
    RUN pacman -Sy sn1per --noconfirm
    
    CMD ["sn1per"]
    

    The two pacman commands are redundant. You only need to run pacman -Syu sn1per --noconfirm once. This also goes against docker best practice, as it creates two layers where only one would be necessary. In addition to that, best practice also includes deleting cache files, which isn’t done here. The final docker image is probably significantly larger than it needs to be.

    Their kali image has similar issues:

    RUN set -x \
            && apt -yqq update \
            && apt -yqq full-upgrade \
            && apt clean
    RUN apt install --yes metasploit-framework
    

    https://www.docker.com/blog/intro-guide-to-dockerfile-best-practices/

    It’s still building right now. I might edit this post with more info if it’s worth it. I really just want a command-line vulnerability scanner, and sn1per seems to offer that with greenbone/openvas as a backend.

    I could modify the dockerfiles with something better, but I don’t know if I’m legally allowed to do so outside of their repo, and I don’t feel comfortable contributing to a repo that’s not FOSS.





  • LXD/Incus. It’s truly free/open

    Please stop saying this about lxd. You know it isn’t true, ever since they started requiring a CLA.

    LXD is literally less free than proxmox, looking at those terms, since Canonical isn’t required to open source any custom lxd versions they host.

    Also, I’ve literally brought this up to you before, and you acknowledged it. But you continue to spread this despite the fact that you should know better.

    Anyway, Incus currently isn’t packaged in debian bookworm, only trixie.

    The version of lxd debian packages is before the license change so that’s still free. But for people on other distros, it’s better to clarify that incus is the truly FOSS option.



  • Dockers manipulation of nftables is pretty well defined in their documentation

    Documentation people don’t read. People expect, that, like most other services, docker binds to ports/addresses behind the firewall. Literally no other container runtime/engine does this, including, notably, podman.

    As to the usage of the docker socket that is widely advised against unless you really know what you’re doing.

    Too bad people don’t read that advice. They just deploy the webtop docker compose, without understanding what any of it is. I like (hate?) linuxserver’s webtop, because it’s an example of the two of the worst footguns in docker in one

    To include the rest of my comment that I linked to:

    Do any of those poor saps on zoomeye expect that I can pwn them by literally opening a webpage?

    No. They expect their firewall to protect them by not allowing remote traffic to those ports. You can argue semantics all you want, but not informing people of this gives them another footgun to shoot themselves with. Hence, docker “bypasses” the firewall.

    On the other hand, podman respects your firewall rules. Yes, you have to edit the rules yourself. But that’s better than a footgun. The literal point of a firewall is to ensure that any services you accidentally have running aren’t exposed to the internet, and docker throws that out the window.

    You originally stated:

    I think from the dev’s point of view (not that it is right or wrong), this is intended behavior simply because if docker didn’t do this, they would get 1,000 issues opened per day of people saying containers don’t work when they forgot to add a firewall rules for a new container.

    And I’m trying to say that even if that was true, it would still be better than a footgun where people expose stuff that’s not supposed to be exposed.

    But that isn’t the case for podman. A quick look through the github issues for podman, and I don’t see it inundated with newbies asking “how to expose services?” because they assume the firewall port needs to be opened, probably. Instead, there are bug reports in the opposite direction, like this one, where services are being exposed despite the firewall being up.

    (I don’t have anything against you, I just really hate the way docker does things.)



  • Yes it is a security risk, but if you don’t have all ports forwarded, someone would still have to breach your internal network IIRC, so you would have many many more problems than docker.

    I think from the dev’s point of view (not that it is right or wrong), this is intended behavior simply because if docker didn’t do this, they would get 1,000 issues opened per day of people saying containers don’t work when they forgot to add a firewall rules for a new container.

    My problem with this, is that when running a public facing server, this ends up with people exposing containers that really, really shouldn’t be exposed.

    Excerpt from another comment of mine:

    It’s only docker where you have to deal with something like this:

    ---
    services:
      webtop:
        image: lscr.io/linuxserver/webtop:latest
        container_name: webtop
        security_opt:
          - seccomp:unconfined #optional
        environment:
          - PUID=1000
          - PGID=1000
          - TZ=Etc/UTC
          - SUBFOLDER=/ #optional
          - TITLE=Webtop #optional
        volumes:
          - /path/to/data:/config
          - /var/run/docker.sock:/var/run/docker.sock #optional
        ports:
          - 3000:3000
          - 3001:3001
        restart: unless-stopped
    

    Originally from here, edited for brevity.

    Resulting in exposed services. Feel free to look at shodan or zoomeye, internet connected search engines, for exposed versions of this service. This service is highly dangerous to expose, as it gives people an in to your system via the docker socket.