Weekly Reading's from Anant: Week #4

This week has been one of those weeks where you put your head down and prepare for the next few months. I am so excited about the next few weeks as we prepare to put the results out in public. As with all of my other projects, this again will be an open source.

Before we jump to new topics, Last week’s newsletter started an interesting discussion on twitter.

This resulted in multiple contributions, and some interesting outcomes were

When ever we talk about code, dependencies, and how fragile the world is right now. Build on shoulders of smaller code bases, it reminds me of two things:

a. XKCD post on dependencies

b. The funny situation called npm dependencies. We talked about these a few months back here but Kingsly again pointed out about the fact that we still have so many packages depending on “left-pad”. Weekly download count of 3,967K for a package deprecated, GitHub repo archived and last update happened 3 years back.

However, almost always discussions of this nature end up turning towards ROI, giving rightful place for defenders or finding that right balance between security usability and “is security just support” or “is security bigger than just support”. I would selfishly plug my old article here:

With that covered lets turn our sight on events that happened in last week.

This bug is one hell of a bug and is not ready to lose the shine on itself. I talked about this bug in deep details in my first newsletter. However, the exploit worked only on Ubuntu 20.04, 18.04 and Debian 10. Other OS combinations were not getting exploited because of older glibc missing references used in exploits. This week a new blog post came out. Describing in all gory details how the exploit can now work with Debian 9, CentOS 7, and Ubuntu 14.04.

Last week some news came out that Brave was leaking DNS data for tor requests and leaving all dot-onion addresses you visited in your service provider’s DNS Cache. Multiple things happened along with this. While Brave fixed the issues they in parallel opened up another bug report on upstream service provider here suggesting not just this one but there are other holes in the setup. This thread covered the event.

While I have been messing around with all this, thefluffy007 contacted me over twitter and we started discussing their android VM work (VM available for download here). While discussing with them, I realized I have collected an extensive set of tricks around VM space optimization which results in OVA size reduction. So I sat down and listed all of them in a simple blog post:

Recently an interesting white paper was published in academia dealing with FAVICONs and how they can track people. This was a decent white paper and would not have made a big headline. However, the actions of the author presented a rather peculiar scenario and shot this white paper on the center of a massive debate.

TL:DR: The author realized Firefox is immune to the attack they were showing however they realized it deviates from standard behaviour. So without disclosing the fact that this behaviour is preventing an attack, they raised an issue to fix the behaviour. If they applied the fix, this would have resulted in Firefox being vulnerable to an attack.

Throughout my career I have not accepted donation, however with so many projects running parallelly it was something that was always in my “things to do one day” list. If you feel my work in open source and security has helped you and if you feel like supporting me, buy me a book/coffee.

This brings me to the last section, covering multiple references I didn’t have time or space to cover in the newsletter.

I hope you enjoyed the newsletter. If you are reading it on the website, remember to subscribe so you can get it every week on your email.. Till next time. Have a wonderful week.