Hacker News new | ask | show | jobs
by keyle 268 days ago
I ran irssi for years. I agree... Maybe being paranoid about security?
2 comments
jagrsw 268 days ago
I don't think it's being paranoid. It's a remotely controlled parser. Fuzzing has turned up some of bugs in irssi and weechat over the years. Things like malformed color codes, DCC filenames, or even basic protocol messages led to crashes.

I personally use weechat inside nsjail on a raspberry pi (isolated rpi is enough here, but just for fun): https://github.com/google/nsjail/tree/master/configs

link
vrighter 268 days ago
so the application crashes inside the container, and the container is restarted, vs the application crashes outside the container and it is restarted.

What's the difference?

link
keyle 268 days ago
Well, the difference is that someone could PoTenTiAlLY spawn a shell if they get their way. So between server access as a user and container access (if it has a shell), it does make a difference.

A good book on this was "Hacking: The Art of Exploitation".

My argument though is that irssi is that old, I think automatic file receiving (DCC) is off by default and it has sensible defaults and a long history of being reliable(?)

link
Smar 268 days ago
Containers are not the best option for security. VMs and/or a MAC are better.
link
vaylian 268 days ago
What do you mean by "MAC"?
link
DaSHacka 268 days ago
https://en.wikipedia.org/wiki/Mandatory_access_control

https://wiki.archlinux.org/title/Security#Mandatory_access_c...

link