Backdoor discovered in Ruby "strong password" library, takes your "strong passwords" and uploads them into a pastebin https://nakedsecurity.sophos.com/2019/07/09/backdoor-discovered-in-ruby-strong_password-library/
Hi, do you believe me when I say we need ocap security yet
- One where we list what documents you can access up-front. Now you can't access anything you shouldn't be able to, but you can't access *new* documents.
- One where you start with a set of documents you can access, but as the world moves and changes, we can also pass you access to new documents
Imagine the fediverse built with the former. You could never gain new friends!
@VyrCossont @astraluma This is why the just-in-time acquirement of authority in ocaps is really key: in the fixed-set-of-authority model, it's so annoying and rigid that eventually you'd pass in way more authority than you need, rather than being able to acquire the authority you need when you need it.
@cwebber @VyrCossont @astraluma Some might see this as a disadvantage, but the advantage of OCAP comes explicitly *from* the API rework that will be required to adopt it. Since ocaps are (as a first-order approximation and most programmers' perspective) typed opaque values used as pointers or handles typically passed by value to dependencies that use them, it makes explicit a lot of security-related state which is currently implicit in trusted code bases that really ought not be trusted.
@VyrCossont @cwebber @astraluma Good questions; I'd like to know that myself. From my limited understanding, unfortunately, I think it has to start with the host OS's most basic APIs. Without kernel support, there'll always be a confused deputy waiting to accidentally obey orders from malicious code.
@VyrCossont @cwebber @astraluma It might not be the fastest thing around, but run like shit might not be accurate either. This is the basic runtime model for Erlang, and it seems to work quite well in the telecommunications niche it was designed for, which also makes it reasonable for Internet applications as well.
Erlang works because you don't need to do OS-level context switches or de/serialization of data.
Context switching processes is expensive, and so is de/serialization. (The latter is mitigatable with shared memory, but that comes with its own pile of trouble.)
@astraluma @VyrCossont @cwebber This. Python lets you tweak the innards of objects you otherwise don't have access to. It's not very convenient, but it does have the facilities to break its encapsulation "rules" (more like rules of thumb).
Once upon a time, there used to be a R&D language called "E" that was built on top of the JVM which was built around OCAPs. I wonder what happened to that, and if its lessons have been applied elsewhere since then?
The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!