Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

You will be in worse shape than I will be. It's possible, in that insane proposition, that your Debian machine will be conceding remote code execution to the whole Internet, while my phone will just have some crappy apps on the home screen.


Doesn't that answer assume some or all of the following?

a) Apple does a better job reviewing apps than Debian maintainers do.

b) iPhone app code is better quality than Debian packages.

c) iOS sandboxing is better than Linux.

Default configuration may mean c) is true. However not if you use wayland, apparmor, seccomp, namespaces etc. What do you think about a) and b)?


The question wasn't whether they could write an elaborate seccomp policy to contain any given Debian package. I just got to pick 10 of them, and install them.


The beep local root suggests the Debian review system has room to improve. It's a pretty deep barrel. You're sure there's no crud at the bottom?


Hi Ted,

Oh wow, is there ever crud at the bottom.

Yesterday I apt-get install'd probably 5 such cruds just to record a small rectangle on my desktop. TBH I did this after apt-get install'ing 3 other animated-gif related cruds to do simple motion animation, then just gave up and used the half-baked Web Animations API in devtools of Firefox because it was easier and better documented than anything else I could find.

That's 8 total cruds written by who-knows, maintained by whoever, audited probably-never by no-one. Also, they pulled in various dependencies I didn't pay the faintest attention to.

How many of those 8 apps would you estimate sent my email contacts to a third party upon instantiation?

How many of those 8 apps would you estimate gathered various pieces of data to fingerprint my device? How many keep gathering data from every sensor source they can poll every time I run and use the app?

How many of those 8 apps would you estimate even touched the network at all?

Now let's suppose I download 8 cruds on iOS just as mindlessly as I did here. Do you think the answers to those questions will be different?


You should try to think of some specific problems that can arise in each environment instead of conducting some sort of weird Socratic dialogue about imaginary apps and a seemingly made-up iOS.


How is the beep local root different from jail breaks in the past? Seems both are local privilege exploit, and I recall seeing that iphone has had a long list of those in the past.


beepmargeddon is a local privilege exploit, not a RCE.

I'm not aware of any debian package (I don't use debian that often though so mind that) that A) installs a network service and B) uses unsafe defaults while C) activating the service on boot by default




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: