site banner
cuwurious_strag_CA  1yr ago (text post)   Edited 1yr ago   2558 thread views

What if the hackers come for us?

Gab - hacked. Truth social - hacked. What if they come for us? The rdrama codebase probably isn't perfectly secure! Chrome or firefox has layers of sandboxes, a hundred different gadgets like 'stack protection' or 'W xor X', and still has a new RCE every week. rdrama can probably be trivially owned if someone googles all the dependency versions for a few hours. also, lol commit history, 'sneed'. If that happens - what leaks? i guess just associations between stored ip addresses (if they are) and post histories. And IP can reveal a lot, or nothing, depending on where you live, ISP, etc. Combine that with a post history referencing improvements you made to your house or your occupation ... might be bad.

Practically, seems incredibly unlikely anyone will care enough to do anything, it's a small community and the essay format gets in the way of 'omg these rightwingers grr'. But, always good to ponder potential security issues. Also, you wanted content, so content.

4
Top Bottom New Old Controversial
Jump in the discussion.

No email address required.

FWIW, I tend to be a bit skeptical of certain types of things coming from the security community. They do have a tendency to overstate the severity and applicability of issues due to the benefits of publicity in that community.

Ex - the browser environment is riddled with RCEs because the attack surface is massively huge - they are expected to let any site on the net run arbitrary JS code with a ton of flexibility on their user's systems, and to use as much of the overall power of those systems as possible, but not let that code behave beyond certain limits. I sympathize with the people trying to keep that secure. But it doesn't have a lot in common with most other environments.

The web server environment has a much more limited attack surface. For the most part, apart from supply chain attacks, you can only really attack it by sending HTTP requests to it. That doesn't make them invulnerable, but it does mean that the great majority of vulnerabilities follow a few specific patterns that are straightforward to avoid. None of us who have worked with the code here have found any of those in the codebase yet.

I don't think I'd quite bet that there's no vulnerabilities at all. But it seems unlikely enough that there's anything serious that I'm not actively worrying about it. Especially combined with our relatively small size, general lack of going out of our way to piss people off, and lack of really juicy things to be gained from compromising the site.

Eh. googling 'flask RCE' shows a few.

And web servers regularly get owned by leaving API keys open, configuring something wrong, too. Maybe you use azure, and the part of azure you're using is broken. maybe your web server is perfect but your cloudflare password is 'marseeeeeey2' without 2fa and you get owned that way.

But it seems unlikely enough that there's anything serious that I'm not actively worrying about it.

I guarantee someone sufficiently motivated could be inside rdrama in a week or two. But I highly doubt anyone is.

They do have a tendency to overstate the severity and applicability of issues due to the benefits of publicity in that community.

Not sure if they overstate the severity of issues; If the NSA has been hacking everything, how has nobody seen them coming?

They were playing chess & you were playing checkers;

Not directly applicable here*, but cybersecurity in general is... there's no cybersecurity, really. Intel ME.

* but maybe for Gab / Truth and such?

What is this place?

This website is a place for people who want to move past shady thinking and test their ideas in a court of people who don't all share the same biases. Our goal is to optimize for light, not heat; this is a group effort, and all commentators are asked to do their part.

The weekly Culture War threads host the most controversial topics and are the most visible aspect of The Motte. However, many other topics are appropriate here. We encourage people to post anything related to science, politics, or philosophy; if in doubt, post!

Check out The Vault for an archive of old quality posts. You are encouraged to crosspost these elsewhere.


Why are you called The Motte?

A motte is a stone keep on a raised earthwork common in early medieval fortifications. More pertinently, it's an element in a rhetorical move called a "Motte-and-Bailey", originally identified by philosopher Nicholas Shackel. It describes the tendency in discourse for people to move from a controversial but high value claim to a defensible but less exciting one upon any resistance to the former. He likens this to the medieval fortification, where a desirable land (the bailey) is abandoned when in danger for the more easily defended motte. In Shackel's words, "The Motte represents the defensible but undesired propositions to which one retreats when hard pressed."

On The Motte, always attempt to remain inside your defensible territory, even if you are not being pressed.


New post guidelines

If you're posting something that isn't related to the culture war, we encourage you to post a thread for it. A submission statement is highly appreciated, but isn't necessary for text posts or links to largely-text posts such as blogs or news articles; if we're unsure of the value of your post, we might remove it until you add a submission statement. A submission statement is required for non-text sources (videos, podcasts, images).

Culture war posts go in the culture war thread; all links must either include a submission statement or significant commentary. Bare links without those will be removed.

If in doubt, please post it!


Rules


Recommended Posts And Communities

Recommended Realtime Chats