Hacker News new | ask | show | jobs
by pornel 1272 days ago
The bash timing exploit makes everyone focus just on how cleverly evil it can be, and forget the big picture that it's about trusting the Rust org not to screw you.

(BTW, you can run `curl | sh` in a VM or with a modified bash to intercept the code and catch the bash script in the act, so it's not actually as sneaky as people believe).

If you think the Rust org is going to pwn you in a clever sneaky way, then you can't use Rust or any Rust-containing products.

In the end, you're pulling hundreds of MBs of binaries that you won't review, they're compiled from over 15 million lines of code that I don't believe you'd ever review either. Reviewing just the first 10 lines of code gives you nothing. A smoke test in a sandbox is also worthless, since a binary could detect being run that way, or delay the attack, or attack by specifically miscompiling your code (see Reflections on Trusting Trust).

In the end, you have to trust the Rust org, all of it.
2 comments
carapace 1272 days ago
I call this the "Lie back and think of England" stance.

You're not wrong, until the end, it should be: "you have to distrust the Rust org, all of it."

And not just Rust, Python and JS and all the others. There are languages and systems that take trust and security seriously, but these are not they.

link
Thiez 1271 days ago
Pray tell us, which languages do take trust and security seriously, according to you?
link
carapace 1271 days ago
(Is it that you don't know of any yourself? Or that you think I can't provide examples? In what world is what I said even slightly controversial? Type checking is just catching on now, decades after it was invented and implemented. C'mon.)

Anyway, off the top of my head, Ada.

https://en.wikipedia.org/wiki/Ada_(programming_language)

and E...

https://en.wikipedia.org/wiki/E_(programming_language) https://en.wikipedia.org/wiki/CapROS

Qubes and SEL4 are Operating systems. (OK Labs was acquired by General Dynamics. That seems like a pretty good recommendation to me.)

https://en.wikipedia.org/wiki/Qubes_OS

https://en.wikipedia.org/wiki/L4_microkernel_family#High_ass...

link
fulafel 1272 days ago
"Trusting the Rust org not to screw you" is one part, another part is trusting the Rust server operators to defend against server compromise by any third party. So trusting the intentions is not sufficient.
link
haradion 1272 days ago
The same thing applies to any binaries downloaded from their site, so unless you you've got signed binaries (that use an independently obtained/verified chain of trust), trusting the server is your your only option. Even with signed binaries, you're still trusting the entity that holds the signing key.
link
fulafel 1272 days ago
In real world trust is not so binary. In a risk assessment I'd be interested evaluating the level of assurance there is in the supply chain of how you get your binaries and artifacts. Some of it can be done using crypto like you say, some of it could be eg published audit reports from a reputable evaluator or other credible information about the processes.
link