Comment by GistNoesis
5 years ago
After reading it a few times, I think it's not about some script kiddie using curl to hack into his system.
Although I condemn Al Nocai's method, I feel for him and I am inclined to adopt the contrarian opinion that he probably got screwed because of the bad quality of curl.
Curl had some remote exploit last year, and curl is used everywhere as the author reminds (often as libcurl). https://daniel.haxx.se/blog/2020/02/03/remote-exploiting-cur...
The deeper underlying systemic problem is that open-source is a way to disclaim all responsibilities. When some open-source project has some level of reach there needs to be quality requirements and regular security audits. (like they (last?) did in 2016, https://daniel.haxx.se/blog/2016/11/23/curl-security-audit/)
Otherwise it's like the OpenSSL's heartbleed story where a few unpaid project maintainers hold the keys to the world.
In today's interdependent world, when trying to build something, we are more and more reliant on the quality of the library we use. As a product builder facing the client you get to bear the responsibility when your client has a problem because of a library you use. But when open-source software removed the possibility of competing solutions by providing free "as is" software, you can't realistically chose not to use it, and you are the one left holding the bag and paying the price for others mistakes.
> When some open-source project has some level of reach there needs to be quality requirements and regular security audits. (like they (last?) did in 2016, https://daniel.haxx.se/blog/2016/11/23/curl-security-audit/)
I think the key question with that is: It all sounds nice, but who is realistically going to pay for it. _especially_ repeatedly.
That's indeed the failure of the system : something sensitive used by billions not being able to pay for a regular audit.
If no one wants to pay for it to have the required quality, why not make it a public utility properly funded by tax, as a public service ; instead of later paying the costs in various form of the consequences of the vulnerabilities.
How about the companies who need that sort of security audits for the software they rely on?
I haven't seen much evidence of this happening on anything approaching a wide scale. For example the piece of software in the article is used almost everywhere, governments, companies etc and yet it still cannot get the funds for yearly audits.
If he's the one using cURL, does that mean that he is one of the kids in the phrase 'You built a formula 1 race car and tossed the keys to kids with ego problems.'?
cURL is a complex beast, it handles plenty of various network protocols, and does it in low-level c, therefore has a lot of potential for exploits if there is a bug like wrongly formatted strings, or buffer overflows. It's a nest for zero-days.
The code is available to anyone to look for such bugs, even the kids with ego problems (aka the hackers). Hackers like curl because it's a nice tool that indeed help them a lot.
Everyone uses curl, willingly or not, embedded by another library which needs some network protocol. Pass a filename that starts with "protocol://... " to any buggy program that will try to open it, and then one branch somewhere inside libcurl will get called. If you give the right magic string, you get a remote shell.
Why couldn't someone who doesn't want to use an open source library just write their own? Just because it exists doesn't mean you are forced to use it--
Most often it's a dependency of a dependency. The library you really want to use, is using the library you don't want to use. Economically it's not possible to not depend on anything, so you take some risk, and hope it doesn't later bites you back.