Netflix on Linux, phishing with https, licensing, password managers, Android convergence, the inside story of Nextcloud scanning and more on LNL 07.
News
Netflix now works in Firefox on Linux
14,766 Let’s Encrypt SSL Certificates Issued to PayPal Phishing Sites
Inside OpenSSL’s battle to change its license
Password managers
Jesse tells us why he’s still using LastPass and asks what the rest of us use.
Entroware
This episode of Late Night Linux is sponsored by Entroware. They are a UK-based company who sells computers with Ubuntu and Ubuntu MATE preinstalled. They have configurable laptops, desktops and servers to suit a wide range of Linux users. Check them out and don’t forget to mention us at checkout if you buy one of their great machines.
Android convergence
With Android now more popular than Windows, how are the various efforts at desktop convergence coming along?
Maru now available for the Nexus 7
Phoenix OS 2.0 alpha based on Android 7.1
Samsung has a go at convergence
Admin
There are now loads of ways that you can help out the podcast. See our support page for details.
Following in Ikey’s illustrious footsteps, Joe was recently a guest on Destination Linux.
Nextcloud Interview
After some of us slagged off Nexcloud on the last episode, Jos asked if he could come on the show and explain what really happened. Ikey and Joe were unconvinced to say the least.
See our contact page for ways to get in touch.
It’s not like there are no other CAs handing out valid certs for obvious phishing domains. At least Let’s Encrypt is not creating certs for Google.com like certain other CAs. The number only comes from the process being automated.
Maybe they can be talked into having a set of blacklisted words, we’ll see.
Having given it some more thought, I think a blacklisting system would eventually fail due to corporate greed and abuse (it *looks* like my domain right? sue them! rip down the site! etc.)
First, Jesse, anything vaguely related to SSL/TLS ever thought of, any research project on the topic, was implemented in OpenSSL. And what happened after the author of this piece of code defended their master’s thesis, university course on crypto or whatever? The contributed code stayed in OpenSSL, no matter the quality or if anyone ever used the feature. So you have dozens of one-time-contributors to find. The big companies are the smallest problem here. They either own the copyright of their employees’ code or know to get a hold of them.
Btw: In some ways the ALv2 is more restrictive than the old license so new code/versions could not be used in permissively licensed projects.
And Ikey, have you ever heard about OpenSSL’s horrible API which is even hard to use for people who know what they’re doing? Them using their own memory management inside the library circumventing any hardened functions the OS may provide and breaking on things like ASLR? The absence of any coding guidelines in the most used crypto library there is?
That’s what LibreSSL is taking care of because the OpenSSL folks are too worried about backward compatibility to address those issues.
And Amazon’s creation and (release under ALv2 btw) of the s2n (“signal to noise”) crypto library should tell you what they think of the hassle OpenSSL is. They didn’t disable all the stuff they don’t need in OpenSSL (probably not possible without major changes in the build system anyway). Instead they built a clean, streamlined library because it’s easier to get right.
> And Ikey, have you ever heard about OpenSSL’s horrible API which is even hard to use for people who know what they’re doing?
This is how I know you didn’t fully listen to what I said, and reacted instead 🙂 I made it very clear that I *use* OpenSSL in my projects.
Florian,
I appreciate the clarification on contributions made to OpenSSL. Will note for future reference.
There is no responsibility for the domain registrar or SSL cert provider to police domain names and their use. Let’s Encrypt is a Class 1 SSL which is the least of the SSL certs, it used to be considered something to be used for email and at least a Class 2 was the least acceptable for actual domain use. Trying to place the onus on the providers completely removes any sort of responsibility on the end user and users remain ignorant which is the actual root of the problem.
Furthermore, anyone blacklisting keywords in domains is a direct undermining of free speech. I have every right to run a site under http://paypalsucksdonkeydong.com and complain about their policies. I ought to be able to do that under https, if I so desire.
The system isn’t perfect but it can’t be. It surprises me to hear advocates of open source and freedom argue for what amounts to censorship, even though it’s not a government level.
> It surprises me to hear advocates of open source and freedom argue for what amounts to censorship
That’s not what I said, listen back again, because I think you’re jumping the gun there somewhat. I said if it was to happen anywhere it’d be at the DNS level. I also expressed what my beef with this was: Not the existence of the dodgy domains, but the registrars knowingly profiting from these scam domains, they KNOW what they’re for. The run auctions for these and could quite easily filter out malicious sites, but they make too much money from it, so why should they?
That is my problem.
I don’t disagree that some registrars make money off the shady domains. I’d much rather a neutral system where registrars aren’t allowed to hold domains beyond a grace period after expiration. I think the whole domain auction side of things, when run by the registrars, is shifty to begin with.
I agree that you did say “if”, so that’s on me. It did sound more like approval of it happening than not but I’ll freely admit that the issue of free speech didn’t come in regards to this. I may have been a bit hasty in my zeal to point out, what I consider to be, a very important issue for the discussion.
I do get what you’re saying with the freedom angle, and we both know that if it were possible to curate domain names, the corporations would abuse that massively, adding that to the patent trolling.
Can’t win either way 🙂
Patent and copyright trolling, FFS, yeah! There’s no good solution really except educating the public. Unfortunately most of the unwashed masses will continue to see the little lock icon as meaning legitimate, believing that ISPs aren’t selling their usage data, and that the government didn’t start spying on the Internet until recently.
I really liked how you completely trashed that Nextcloud evangelist. At one moment it even sounded like he was going to cry. That really taught him a lesson. Hopefully this will keep him and other vendors far away from the podcast for a foreseeable future. I hate it when those corporatists globalists infiltrate the FLOSS community.
I think Jos defended Nextcloud decision pretty well. Personally I think they did the right thing.
There was no intent in “trashing” anyone. Jos should be shown respect here, he didn’t *have* to come on the show, yet he did, so gets kudos in my book.
Also Jos is a longtime, well known FOSS contributor and user, so try to separate nextcloud, the company, from the individual here.
About OpenSSL
Yes, with BoringSSL, LibreSSL and OpenSSL, I’d say OpenSSL is the way to go.
For my projects I found myself going more-and-more with NSS, yes – of course having the issue of using our own store instead of the system wide store, which is not always desireable (MITM proxy).
For the Nextcloud issue:
I see it the way that they went the extra mile trying to protect the people and their data. Yes, the way all this went down wasn’t a good one, and especially communication after that happened was very poor.
In the end, if the hoster can legally shut you down – probably by a clause in the contract for exactly this purpose – so what? The ones complaining should have checked their installation if they have a clause like this in their contract with the provider. Otherwhise they risk being shut down. That was the deal.
I personally thing they did the right thing. Even though, as said, the communication and process in all this was horrible. Even in this interview, I think Jos didn’t do too good defending their position. Again, the statements like “we didn’t trust the owncloud guys” and later stating they didn’t answer does not look good.
I am with you in not seeing anything wrong with what the NextCloud team did, though I didn’t follow their communication enough to judge it. The hosts said they were harsh on Jos because they were upset that he was late. I wonder if Jos was also distracted by whatever made him late because I agree that he was not giving consistent answers and that was hurting his case. If Jos was not distracted, I think it would have been better for one of the NextCloud security experts to do the interview since security was the main justification for what NextCloud did. I know Jos is more involved in the user-facing side of NextCloud and the community building effort, but he also didn’t give very clear answers on those points — the OwnCloud vs. NextCloud issue in particular was not clear (for example, it wasn’t clear how the conflict of interest in urging old OwnCloud instances to be upgraded to NextCloud was addressed). I am glad Felim was at least finally able to give his take at the end.
I usually don’t leave two comments but I didn’t finish the interview with Jos until this morning. While I understand the annoyance, he was late, I did feel that there was very little consideration for what Jos was actually saying. It did not feel like there was a desire to understand how things went down but rather that some folks had their minds made up and took a chance to beat up on Jos, who reached out in an attempt to help clarify things.
As far as the supposed privacy issues go, if you put something on an internet facing IP then you’ve given up your right to have that thing be private. There is absolutely no expectation of privacy once you’ve put something in the wild. Proper security can insure your data isn’t compromised, except when even that fails, but the fact that there is, let’s say, and Apache server running on on port 80 is not something that any reasonable person could consider private information.
While I agree that they might have been able to contact some of the users, that would still have left a large number, likely a majority, that they couldn’t have tracked down. Shared hosting is the first issue. As Jos mentioned, if there was an IP on the list and it responded as WordPress then there’s not way to insure that the site that’s responding on IP is A. the only site on the IP, B. the only customer on the IP, or C. has anything to do with the Next/Own cloud instance listed on the IP. At that point the only method that insures the instance owner is contacted is to alert the organization to which the IP is assigned. In the, what I believe would have been, minority of cases where they could discern the owner of the instance then contact information shouldn’t have been all that hard to come by and yes, in those instances they possibly should have contacted the owners directly.
People running servers against the TOS to which they agreed getting found out doesn’t bother me one bit. Either play by the rules to which you agreed or be willing to suffer the consequences when you get caught. You guys use Digital Ocean, I use both Digital Ocean and Linode based on my needs at the time, and we all know that you can spin up an instance for 5 USD a month. There’s really no excuse for violating your TOS with your ISP. Getting found this way might have sucked but in the end if an idiot who’s not updating their Next/Owncloud instance gets owned on the same ISP I’m one, on the same segment, then I’m affected.
In the end, involving a set of professionals, whose job it is to specifically deal with things like this, was a fair decision. Minor things could have been done differently but in the end involving CERTs and the Shadowserver Foundation was going to be necessary. Nextcloud didn’t scan the internets randomly, they took an existing list, made by someone else scanning (which no one seems to be the least bit upset about) and tried to make good on their installs of their codebase being out of date and vulnerable. This is like vaccination, in a way, you may feel you have the right to decide if your child gets vaccinated but your right to swing around your disease factory of child ends where my child’s and my immune systems begin. You have the right to run whatever version of any software you want inside the privacy of your own network but you do not have the right to put the rest of us at risk.
That said, some of that is down to bad coding, which may have been hammered on a bit in the interview, but that comes back to the provider of the code taking responsibility for the code, which was what happened here. I really feel like the guys doing the interview created a catch 22 for Jos. I’ll concede the point about having a working updater, that should have been fixed before NextCloud was ever released, there’s way too many examples of working updaters for there to be any real excuse. However it really sounded like none of the people involved in the interview would have been happy with any way this was handled and that’s simply not a tenable position.
Given that the code exists and that it’s out there something needed to be done about it. Was turning the whole issue over to CERTs the best first move? Possibly not, but they never washed their hands of any of the responsibility. I have heard Jos on multiple shows now and he has never said NextCloud didn’t have responsibility for how it was handled. He has said that he, personally, didn’t know exactly how the CERTs would handle it but that NextCould, as an organization, approved of how it was handled. That’s not ducking responsibility, it might be an admission of naivete but he didn’t dodge owning it.
Near the end it really seemed like there was an axe to grind. Jos asked multiple times about how they could have handled it better, as he’s done in multiple mediums, and never got a straight answer. I really think your annoyance at his lateness tainted this interview in a really bad way. I have tons to respect for you guys, and still do, but this wasn’t the quality or objectivity (admittedly not in every area) that I have come to expect from you lot. I really think it was an embarrassing segment where you let emotion overcome reason.
I’m gonna be honest here, I think you’ve misinterpreted the interview. Additionally I believe you saw Joe complain on Telegram about Jos being late, and that has then tainted *your* interpretation of it from the very start, as you were looking for bias and emotions not actually present.
Long story short, we weren’t gonna beat around the bush. What you have to remember is *why* we’ll give guys like Nextcloud a hard time: We actually care about this stuff. We also want to see guys like Nextcloud *succeed*. Alas, nobody is above reproach.
I’ve often seen commentators like yourself on reddit, who frequently confuse integrity and care for being emotionally compromised, which is actually highly unfair. What would’ve been *bad* is if we’d had our heads stuck up Nextcloud’s arse, as with so many other media outlets, and let them off the hook because “omg open source is amazing”.
I didn’t see anything on Telegram, it’s mentioned during the episode, after the interview. I joined the Telegram shortly after leaving this comment. Listen to the end of the episode again, it’s admitted on air that the interviewers were upset about him being late and might have been more harsh because of it.
I have no desire to listen to a podcast where every OSS release gets a free pass. That would be boring AF to be perfectly honest. I think there is a gulf between beating around the bush and interrupting the interviewee and berating them, which happened here. Had I not heard the bit about Jos being late I wouldn’t have mentioned it at all, I would have had a lower opinion of this particular bit.
I will admit to not being clear, I think this could have been handled better by NextCloud, much like the interview could have been handled better by you lot. Were I in charge of the NextCloud handling of this I would have gone a different route. Firstly I wouldn’t have care one whit about the OwnCloud instances. I think they should have left those completely alone. I also wouldn’t be publishing the version in a publicly accessible script. While security through obscurity is not reliable there’s a difference between relying on that and making information way too easy to access. I would have also tried to contact everyone I could before going to the CERTs but in the end I would have gone to the CERTs.
NextCloud’s biggest mistake was the lack of transparency about the whole thing. Jos is doing damage control and honestly he’s not that good at it. I’ve only heard him on one other podcast but I have seen his responses on various forums, including Reddit. What’s happening is that he’s attempting give the transparency after the fact and it’s not effective. My original comment did look like I was defending things I didn’t mean to, that’s on me. There are vast differences between the way I think this should have been handled by NextCloud and the way it was but that doesn’t change the beat down handed to Jos.
Giving someone a hard time doesn’t have to involve talking over them and pretty much refusing to at least acknowledge the things they’ve said. He asked multiple times what they could have done better and the answers were curt. Instead of taking the opportunity to actually educate him, or any of the listeners. This could have a been great interview that didn’t beat around the bush and laid down some really firm ideas but it wasn’t.
I also agree it would have been bad to have your collective head stuck up NextCloud’s arse. That doesn’t do anyone any good either. I just think there was a better way to handle the situation. I’m not offended by language or even aggressiveness but I suspect that the treatment Jos has been getting on a lot of fronts is going to backfire. Instead of learning from this fuck up, they’ll be even more insular next time and not try to explain. It’s no skin off my back either way, I’m not a NextCloud user and haven’t been since OwnCloud fucked me over for a bunch of data way back when. I don’t want to see the project shrivel and die, which is what will happen if they don’t change, but at the same time, it won’t affect me if it does.
Understand, I’m not looking for professionalism or anything like that, I just thought this was really harsh.
And, by the by, thanks for responding and all that, believe it or not it’s greatly appreciated!
I almost stop listerning to your podcast after you complete ambused the nextcloud guy, hope that this is not the way that you are going to keep doing interviews. Because you will not find a lot of vendors willing to be on your show.
And maybe it was not perfect what they did, but at least they did something and not eving letting a guy finish his sentence and twisting every word that he said.
That was profesional.
What an episode. I thought I would stop listening to Linux podcasts after the end of Linux Luddites. I used to use Linux Mint daily, but now I only use Android devices and a Chromebook. Why would I care about an open source podcast? Well, its because you dudes know what the hell you’re talking about, and I need to hear the open source perspective on computing. What an episode, and what an interview.