This Week In Security: Perl.com, The Great Suspender, And Google’s Solution

Perl has been stolen. Well, perl.com, at least. The perl.com domain was transferred to a different registrar on January 27, without the permission of the rightful owner. The first to notice the hack seems to have been [xtaran], who raised the alarm on a Reddit thread. The proper people quickly noticed, and started the process of getting control of the domain again. It seems that several other unrelated domains were also stolen in the same attack.

I’ve seen a couple of theories tossed around about how the domains were stolen. With multiple domains being moved, it initially seemed that the registrar had been compromised in some way. One of the other victims was told that a set of official looking documents had been supplied, “proving” that the attacker was the rightful owner of the domain. In any case, the damage is slowly being unwound. Perl.com is once again in the proper hands, evidenced by the proper SSL certificate issued back in December.

The Great Suspender, Suspended

I was greeted by a particularly nasty surprise on Thursday of this week. One of the Chrome extensions I’ve come to rely on was removed by Google for containing malware. The Great Suspender automatically hibernates unused tabs, saving ram and processor cycles that would otherwise be spent on those 150 open tabs that should really be bookmarks. What happened here?

I’ll point out that I’m extremely careful about installing extensions. It’s code written by a third party, often very difficult to inspect, and can view and modify the sites you visit. You can manage what sites an extension has access to, but for a tool like the Suspender, it essentially needs access to all of them. The solution is to use open source extensions, right? “Well yes, but actually no.” Suspender is open source, after all. The link above goes to the project’s Github page. In that repo you’ll find an announcement from last year, that the founding developer is finished with the project, and is selling the rights to an unknown third party, who took over maintainership. If this sounds familiar, there are echoes of the event-stream debacle.

It’s not clear exactly what malicious behavior Google found that led to the extension being pulled, but a more careful look at the project reveals that there were potential problems as early as October of 2020. An addition to the extension introduced execution of code from a remote server, never a good idea. For what it’s worth, the original maintainer has made a statement, defending the new owners, and suggesting that this was all an innocent mistake.

The lesson here? It’s not enough to confirm that an extension checks the “open source” box. Make sure there is an active community, and that there isn’t a 6 month old bug report detailing potentially malicious activity.

Libgcrypt

It’s not everyday you see a developer sending out a notice that everyone should stop using his latest release. That’s exactly what happened with Libgcrypt 1.9.0. Our friends over at Google’s Project Zero discovered an extremely nasty vulnerability in the code. It’s a buffer overflow that happens during the decryption process, before even signature verification. Since libgcrypt is used in many PGP implementations, the ramifications could be nasty. Receive an encrypted email, and as soon as your client decrypts it, code is executing. Thankfully, an update that fixes the issue has already been released.

Android Botnet

A new botnet is targeting Android devices in a peculiar way — looking for open ADB debug ports exposed to the Internet. Google makes it very clear that ADB over the network is insecure, and should only be used for development purposes, and on controlled networks. It’s astounding that so many vendors ship hardware with this service exposed. Beyond that, it’s surprising that so many people give their Android devices public IP addresses (or IPv6 addresses that aren’t behind a firewall). The botnet, named Matryosh, has another unique feature, as it uses Tor for command and control functions, making it harder to track.

Google Solution to Open-Source Security

Google published a post on their open source blog, giving an overview for their new framework for the security of open source projects. “Know, Prevent, Fix” is their name for the new effort, and it must have been written by management, because it’s full of buzzwords. The most interesting elements are their goals for critical software. They identify problems like the ability of a single maintainer to push bad code into a project, and how anonymous maintainers is probably a bad idea. It will be interesting to see how these ideas develop, and how Google will help open source communities implement them.

Microsoft in My Pi

And finally, I was amused by an article lamenting the inclusion of the VSCode repository in the default Raspberry Pi OS images. He does raise a couple legitimate points. Amont them, you do send a ping to Microsoft’s servers every time you check for new updates.

The larger point is that the official VSCode binaries have telemetry code added to them — code that isn’t in the open source repository. What is it doing? You don’t know. But it probably violates European law.

Want to use VSCode, but not interested in shipping info off to Microsoft? VSCodium is a thing.

46 thoughts on “This Week In Security: Perl.com, The Great Suspender, And Google’s Solution

  1. Use of the C and C++ programming languages is looking more and more foolish. Apache is now committed to rewriting httpd in Rust, finally. Hopefully soon we can rid the world of these terrible languages before the internet becomes unusable.

    1. Let me know when Linux gets ported to Rust.

      These hippy scripting languages are fun and all, and definitely have some benefits, but there’s a lot more to programming than web. Rust, Go, Python, JavaScript, fine languages with some cool features, but when you need to write a program ASAP on an 8-bit system with 1KB of RAM, it’s not really practical to port the interpreters, runtimes, compilers, and dependencies for a language first just so you don’t have to manage your own memory. Who’s the more foolish? Someone who plan their memory allocation because they actually know how CPUs work and delivers on time, or someone who tries to shoehorn the flavor of the week into a platform it wasn’t designed for and is over time and over budget just trying to port the dependencies without actually writing any application code?

      If you think C is a bad language it’s because you don’t know how to plan out software. Don’t blame the hammer when you hit your thumb.

      1. Gotta love this quote from the article:

        “We currently live in a world where deploying a few million lines of C code on a network edge to handle requests is standard practice, despite all of the evidence we have that such behavior is unsafe,”

        1. The present-day internet is an inherently untrustworthy media and likely will always be subject to hacking/interception/breaches. Rust (or any other programming language as we know it) is unlikely to change that significantly.

      2. While you are not entirely wrong; you are still not right.

        First of Rust is not a scripting language, it is much closer to C than it is to Go, Python or JavaScript.
        Second, sure machine code or C might be better for very limited/embedded hardware; but that is not what’s being discussed here.
        Third, sure a very knowledgeable programmer with experience in C, who follows all proper standards and conventions, double checks and thoroughly tests their very cleanly written code could probably produce safer and/or more performant code. The problem is we don’t live in that dream world. In reality these projects are worked on by many people, with varying skill, varying leadership/oversight and limited time to do so. Under these conditions using a language that helps prevent such buffer overflows and other common mistakes from being possible certainly has more pros than cons.

        C is a great language, and the world depends on it. That said it wasn’t really designed for the scale of modern programs, and updating the standards can only get you so far. Is the Rust the solution to every C problem? No, certainly not. But it does seem like a better choice if you are starting from scratch.

        1. “Is the Rust the solution to every C problem? No, certainly not. ”

          More ignorance, Rust was specifically designed to be a 100% replacement for C with no performance degradation. RTFA, if Apache can be ported to Rust then so can any other program.

        2. With what I’m seeing of Rust it might not yet be suitable for every single job you’d use a member of the C family for, but its a better option almost every time, doing all the bits humans get wrong for them efficiently, and often producing just as efficient machine code as C.

          The main reason to use anything else is if you need to work bare metal, or just haven’t learnt Rust yet (which is still me), you use what you already know how to do, and hope you didn’t bugger it up…

          1. “The main reason to use anything else is if you need to work bare metal, ”

            That excuse doesn’t work either. Rust runs on ARM Cortex M, AVR, MSP430. Stop making excuses and start using Rust. NOW.

          2. And you are kind of making my point, it works on many things, not all things, and not all the things it compiles for last I looked it did so as effectively as the C families, 40 years of optimisations can sometimes payout..

            There are also times for lower powered chips where you have to choose between ‘100% proper correct use’ or abusing the chips features to get useful performance at the task at hand, hopefully knowing that the situation you have created while bonkers is actually going to be stable, or at least resets cleanly. When you program bare metal you are either a muppet or have damn good reason, as its rather less convenient to do than compiling the higher level languages…

            That said Rust is in the pile of things to really learn about for me, though personally behind ‘mastery’ of one of the HDL languages, as I’ve got projects in mind that really need ASIC, so an implementation on FPGA.. And both of those are behind less computation projects and problems..

        3. More ignorance:

          “sure a very knowledgeable programmer with experience in C, who follows all proper standards and conventions, double checks and thoroughly tests their very cleanly written code could probably produce safer and/or more performant code”

          40- years of endless CVE reports are plain evidence that you are 100% wrong.

      3. A lot of it is using the right language for the right use case.
        C and C++ were initially invented / designed prior to the invention of the internet.
        So errors were more about functional problems rather than deliberate hacks from the outside.
        Back then languages weren’t designed or tested via a million eyes from all over the world (just mostly Bjarne Stroustrup)

        In the case of Rust it’s a systems language so is closer to the bare metal (similar to C)
        But the big difference is that it has some of the features of the higher level Application languages (such as CSharp). The big one is static vs dynamic typing and strong vs weak typing.

        I believe C is classed as a statically weak typed language
        The big problem is that it relies on the user to make sure it handles pointers / memory allocation properly
        such as the pointer to a thing is actually the thing you expect it to be and not something else due to a buffer over or under-run. Tools have been designed to counteract this such as Valgrind.
        But the actual fundamental design of the language allows for users to make errors in unexpected complicated ways that the compiler won’t pick up on until it’s out in the wild.

        Dynamic typing has it’s advantages in scripting languages such as Python and code re-use
        but it’s the sort of thing to be avoided for systems based languages

        Rust imposes a lot of restrictions within the language design to avoid this sort of thing.
        I’ve also found it’s build system (cargo) to generally be a lot more nicer and a hell of a lot easier to use than the myriad of build systems for C and C++ such as cmake, Makefiles, autoconf etc
        The one area it doesn’t cover is class inheritance favouring interface traits instead (although it does have classes)
        So I could see it being a pretty good fit for the Linux kernel for example (replacing structs of function pointers)
        But for something higher level such as QT (as an example) you’d probably have to redesign the layout of the code to get around the lack of class inheritance.

        There has been some interest expressed in starting out with some driver compatibility for it in the kernel
        But I think the macro side of things is probably holding it up.

        * https://lwn.net/Articles/829858/

        For the compiler it use LLVM / Clang which is language agnostic. So adding a target to that means you can compile in lots of different languages.

        1. Valgrind has fatal flaws, it can’t tell the difference between compiler optimizations and bugs. For example strcpy etc on 64 bit platforms is using wide words to copy strings and you get false positives when it hits the end of the string and copies bytes after the null. If both buffers are big enough then it’s harmless but valgrind complains anyway.

    2. Calling for replacing C with Rust or Python is like calling to replace 111 welding process with 141. Each has their uses but ugly truth is 111 is there to stay no matter how many “stack of dimes” videos are posted by bearded hipsters-“fabricators” in their patronited workshops.

      If you can’t make a weld that passes X-Ray inspection then you should either get lost or go back to school before your work causes injury or death to others. Same thing applies to coding.

    3. Well for a few years now, I’ve been attempting to learn a little about writing C code along with PIC/HEX with no success. I have no formal training and a book hasn’t been any help with it. I have hand copied codes from projects online (open source) to work with and still cannot a file to compile so I can download and make any of my projects work. Now I have to worry about learning more of something else? It sucks to be old and from a time vacuum tubes were still widely used. I went to school and learned electronics back then but didn’t continue with it for so many years, now I can’t do what I did for most of my life due to physical conditions and want to work with electronics to have something to do. Of course now days everything is disposable and recyclable so not much use for electronics repair, if it quits through it away and get another one improved and more efficient. The only thing that needs saved is the electronic files.

    4. I’d say the pro is stuff like rust is that it’s much harder for the end developer to create nasty bugs.

      I’m not particularly familiar with Rust, but I’d guess The con is that because the language is doing so much more, if the language/compiler/interpreter/libraries have an issue, then suddenly almost all software written in it does. E.G. if someone found an exploit in jquery, then about 50% of websites would be compromised.

      By contrast, c/c++ does far less, so the compilers are simpler, and the standard libraries are smaller. Plus we’ve had decades of testing that there’s no issues in the compilers or standard libraries.

      Overall, it’s probably safer using rust, but we should be aware that we’re shifting risk, not totally eliminating it.

    1. Maybe a lot of more tech inclined do, knowing it’s the only (easy) way to get into it if you smash the screen. Thought it would just be over the USB though, not the wifi too.

    2. On the devices I’ve worked with, Developer options only enable USB debugging. There is a second option to enable ADB over the network. That’s gonna vary by vendor, though. Easiest way to check is to fire up ADB on a desktop, and try to pull up the device’s IP address.

  2. Humans do not expect other humans to be able to lift automobiles off the ground with their bare hands. We do not think that we can fly like birds. Why do we think that we can write C code despite decades of continuous security reports of the exact same buffer overrun bug first documented in the 1980s? Wow.

    1. I have to ask if you owned either one of these cars? Myself, I owned a Covair for many years, my Grandfather owned several, my Uncle owned a few, one was TOO FAST so Grandpa talked him into selling it. Grandpa’s last one was a 66. I wanted to trade him my 62 for but he would go for it, Dang it. Grandma liked it too ! We all lived in western Neb. and when it snowed, that was our go to car, we NEVER owned any 4×4”s ! Grandpa used that Corvair to pull a pile of stuck cars and even trucks out of the snow. I loved the design of the last generation, they are so cool looking in my opinion. My mother owned a brand new Pinto when they first came out and it was a sporty little car. It is my opinion that it make little difference what model design a car is. Heck even the old classics like the early to mid 70’s Chevy pickup was deemed a disaster. Then there is the later model Toyotas with the electronic throttle bodies. Let me go back to the Corvair, Ralph Nader got a burr in his jock strap for nothing !!! On a side note, I became friends with his running mate for the top jobs in the U.S. some years back and spent some time in her company out here in S.D. The Corvair engine is basically designed the SAME as a VW or a Porcshe, which either can have issues with cylinder seal at the heads and exhaust system, air cooled designs are at risk of allowing exhaust gases in the cabin since the heating system relies on the heat from the engine and such to move the hot air into the cab. The issue with the heating system on the first models of Corvair using fuel in a furnace? What was or is the difference between that and your run of the mill home furnace? Aside from a reduction in mileage, but none of us were concerned with that back then with such cheap fuel. Now for the Corvair rear suspension, I owned a 62 all through high school and believe me when I tell you, I found nothing wrong with the design were it came to safety or strength aside from breaking the U joint yokes outside the differential, and you would have to work pretty hard to do that. I managed to break a few after a few years of abuse to my car, and if it was an issue, GM could have done something to improve that too. I was maybe above and beyond a typical kid driving around town and out in the country with my car as I learned what it and I could do with it. So, the Corvair which as GM designed it, had some issues that were dealt with and would have continued to be improved, they got good mileage and were not lacking in much of anything in comfort or luxury for the day. The engine was the highest HP/cubic inch producing engine of the day and with proper care lasted about as long as any other, it was killed so the country could be flooded with Beatles. The Pinto engine proved to be one of Fords diamonds, it lasted almost as long as the famous small block Chevy ! It was used in cars and pickups even had industrial use. Corvair engines were even modified into self powered air compressors ! Use one side of the engine to drive the other to compress air. Corvair engines went into dune buggies and airplanes just like VW’s and even Porsches. I sold my Corvair back to my Grandfather after school was done, and he kept it for several years and sold it. I moved back 17 years later and one day found it in a lot at an apartment complex. I bought it back and it still had the plates I had on it, never got re registered, I stored it in a lot at a repair shop for a time but it got halled off without notification so I lost it for good. Really makes me sick. I still want a last years style Corvair and would love to get my hands on a nice Pinto. No this has nothing to do with the post about domain theft and I went on with this comment. My last thought is Nothing is perfect in an unperfect world. That saying, Honesty is the best policy. We have a people problem in this world because we are in general too easy on people that don’t know about good policy.

      1. So you don’t know about statistics? The most basic concept is that individual anecdotes are pointless and irrelevant, and just as dumb as the gambler who thinks his winning streak will continue

        1. I am so tired of the arrogance that comes through when reading your comments.
          Now when I look at the Recent Comments sidebar and see that you’ve posted a comment, I don’t bother checking.

          X, it would be an appropriate username for Benchoff, is that who you are?

  3. It indeed funny to read people saying “your code will be safer if you use best practices” when referring to an article that says the opposite, that you are no safer unless you also enforce best practices on every single FOSS developer. And of course we have all seen how developers react when told to change, just read these comments.

    1. Indeed.

      And you are as much a part of the problem as any of those in the way you condemn them for not agreeing with you.

      Like the whole ‘inclusive language’ thing. It’s simply a way of making it look as if you’re doing something without actually addressing the real issue. Your own behaviour.

      1. So it’s my fault that You are not using Rust?

        So apparently all those traffic deaths are also my fault because I tell people to wear their seatbelts.

        And everyone who ever gets a sunburn can blame me because I say to use sunscreen

      2. Yes the real issue here is not the basic security flaws that are responsible for billions of dollars in business losses, the real issue upending the planet is the fact that I don’t agree with you.

      3. I just found this great quote in a story on another web site:

        “A worldview in which you’re always persecuted is a worldview in which you’re never responsible, because being responsible would mean you’re possibly to blame, which is impossible, because the persecuted are always blameless.”

    1. I’m more than bitter about this. I was suspending tabs left and right until the time came to review all of them and close them. So around 100 tabs on just one computer, that were my in my TODO / TLDR list.

      Long story short, installed https://github.com/aciidic/thegreatsuspender-notrack and replaced the extension ID in the url with the new extension ID, this restored all the suspended tabs that otherwise would have been lost. Not a huge deal anyway.

      To people who disclaim the new maintainers: please understand they do social engineering as well. Someone being “autistic” does not mean they are excused from injecting external obfuscated code into the extension, without even adding that to the original repo. It happened to so many extensions that there’s absolutely no excuse anymore.

      The other problem I have is with the general handling of extensions. They get automatically updated (by default) and can be remotely disabled.

      I wish that maintainer changes, especially when the new owner is not an active developer in the project, should be flagged in a STRONG way for everyone to see.

  4. Android issue. Just realized I have a a windoze util installed that may help check if your android devices are vulnerable. It’s called Vyzor it’s adware supported (15 minute popups) but it lets you try to access a device over ADP at local.ip:5555

    I had used it to try to get into a phone with bust screen and digitiser a couple of years back. Which was not vulnerable. (Percussive maintenance got the digitiser working enough to turn on USB debugging)

    You won’t of course be dumb enough to have 5555 open on your router and port forwarding set up such that this is an issue at home, but would help you to know whether it could be a problem if you need to use wifi at McDonalds or somewhere.

  5. I’ve been writing both C and C++ since their early days, and have been laughing for decades about all all those languages that will ‘replace’ them. I hate python – and don’t use it for anything – but of course use javascript when it needs to be used.

    However, rust is different. They have got a lot of the design decisions right, it does stop a lot of the errors at compile time, and can be used for a lot of things. I won’t be using it on small embedded systems any time soon, but on bigger systems I’m using it more and more.
    If it had a single dominate gui library, and an ide like the old borland builder (not the current bloatware), both things that would make it easier to use for a novice user – I suspect it would be wiping out a lot of other languages..

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.