undefined | Better HN

0 pointsryanlol8y ago0 comments

Does that really not sound ridiculous to you? Microsoft needs to be blamed for their certificate validation implementation because people might use it to make their software expire? Instead of just writing code that does so?

0 comments

wtallis8y ago

Microsoft's driver signing model has a mode that is a giant footgun with no redeeming value. Oculus is a victim of Microsoft's bad design. They weren't trying to build in a self-destruct timer for their whole product stack, and if they were, they wouldn't have used the driver signing certificate as the lynchpin.

jlgaddis8y ago

I find this reasoning ("footgun", Microsoft's fault) interesting when compared to the prevalent HN opinions when it comes to, for example, (unsecured) redis and memcached servers being used in DDoS attacks, or even AWS S3 buckets (with confidential or even highly classified files) being -- inadvertantly -- left wide open to the public.

In those cases, "we" (as a "community", in general) often blame the people responsible for running those services instead of the developers (or Amazon) being blamed for choosing convenience/ease-of-use over security. That is, we're often quick to say that the people running those wide open memcached servers are at fault for not properly configuring and/or securing them -- and not blaming the developers for creating "a giant footgun".

"You shouldn't be running servers on the Internet if you don't know how to properly configure them" (paraphrasing) is often stated. Yet, in this case, we're not blaming Oculus for their screwup and instead blaming Microsoft -- even though there's zero evidence (AFAIK) that Oculus even used any Microsoft tools to sign their application. (N.B.: I don't know the first thing about code signing on Windows so it may well be that using a Microsoft utility is required and, thus, just assumed by those of you who are familiar with the process. If that's the case, sorry.)

I'm having trouble trying to reconcile these two seemingly opposing viewpoints. Why is Microsoft's utility "a giant footgun" but a (OOTB) completely insecure by default, wide open by default memcached server (for example) isn't?

wtallis8y ago

There's a use case for redis and memcached being open to the network, and a failure mode if you don't properly separate your internal network from the public Internet. There's a use case for S3 buckets that are publicly readable, if they don't contain sensitive/private information. Those features have reason to exist, even though there's potential for misuse. Secure defaults would be nice, but can't eliminate these risks.

There's no reason for drivers to have an expiration date. There's no scenario where it makes sense for the configuration that Oculus stumbled into to be possible.

2 more replies

girvo8y ago

> I'm having trouble trying to reconcile these two seemingly opposing viewpoints.

I mean this with all respect... but why? You're talking about different opinions expressed by completely different people. HN isn't a monolith.

1 more reply

Piskvorrr8y ago

Interesting. I would think that opening unsecured services on to the Internet at large is a big no-no; and that whoever sets the default-allow is the one who's setting the trap here. Yes, the admin should inspect any installation for traps, but that's, as you note, secondary to "don't ship software which has a highly convenient trap set up". Most software traditionally exposed to the Internet did manage to do that, back in the early 2000s (by shipping default config `interfaces=lo` or somesuch), nobody should get a free pass on that, MS or not.

flamedoge8y ago

you can't guard against every imaginable stupidity. you try but users will inevitably find a hole.

loup-vaillant8y ago

That's not how APIs work. You don't eliminate stupidity by thinking of each and every way the user could screw up. You simplify your API so there aren't so many ways to use it in the first place.

ryanlolOP8y ago

So instead of trying to conform to the x.509 spec MS should have just developed their own certificate validation scheme, because that would totally be less of a "footgun" than conforming to the spec.

Am I getting this right?

Why aren't we blaming the people behind RFC5280, after all it was them who came up with this awful idea that certificates should expire.

>giant footgun

oh dear god how are you generating your certificates? This is not a footgun unless you are doing something immeasurably stupid before even involving MS products.

Besides, if you insist on going ahead and setting the Not After field, wouldn't it be a bigger footgun to ignore that?

lclarkmichalek8y ago

FWIW, there are basically no common implementations that fully conform to the x.509 spec. That thing is a bundle of unimplemented features.

1 more reply

gambler8y ago

How about we stop blaming people who accidentally pressed figurative "system self-destruct" button and start asking why there are so many of those buttons everywhere? Nowadays this is a recurring theme. Simple mistakes leading to catastrophic failures at grand scale. "Just be more careful" doesn't cut it anymore, because in the software world there are just too many things to be careful about.

Twisell8y ago

Because when you edit code basically every character you type have the potential to become a big red button. It’s not that developer add them for fun. And each time you develop a new functionality you have to figure out how to build a very solid glass box around the reds buttons you just created. The default being none.

Alternatively you could propose no user configurable functionalities whatsoever and rarely and carefully upgrade any dependencies (including the os) and you will create a very robust program.

But then don’t expect to end up with a wireless VR headset with an online game catalog and multiplayer capability. No but you can up with a very nice banking application developed in COBOL for sure.

ryanlolOP8y ago

You cant possibly make this argument in the context of driver development. Everything is a self destruct button.

j / k navigate · click thread line to collapse

0 comments

wtallis8y ago

jlgaddis8y ago

wtallis8y ago

There's no reason for drivers to have an expiration date. There's no scenario where it makes sense for the configuration that Oculus stumbled into to be possible.

2 more replies

girvo8y ago

> I'm having trouble trying to reconcile these two seemingly opposing viewpoints.

I mean this with all respect... but why? You're talking about different opinions expressed by completely different people. HN isn't a monolith.

1 more reply

Piskvorrr8y ago

flamedoge8y ago

you can't guard against every imaginable stupidity. you try but users will inevitably find a hole.

loup-vaillant8y ago

That's not how APIs work. You don't eliminate stupidity by thinking of each and every way the user could screw up. You simplify your API so there aren't so many ways to use it in the first place.

ryanlolOP8y ago

Am I getting this right?

Why aren't we blaming the people behind RFC5280, after all it was them who came up with this awful idea that certificates should expire.

>giant footgun

oh dear god how are you generating your certificates? This is not a footgun unless you are doing something immeasurably stupid before even involving MS products.

Besides, if you insist on going ahead and setting the Not After field, wouldn't it be a bigger footgun to ignore that?

lclarkmichalek8y ago

FWIW, there are basically no common implementations that fully conform to the x.509 spec. That thing is a bundle of unimplemented features.

1 more reply

gambler8y ago

Twisell8y ago

Alternatively you could propose no user configurable functionalities whatsoever and rarely and carefully upgrade any dependencies (including the os) and you will create a very robust program.

ryanlolOP8y ago

You cant possibly make this argument in the context of driver development. Everything is a self destruct button.

j / k navigate · click thread line to collapse