Comment by dweinstein

2 days ago

I made this tool for macos systems that helps detect when a package accesses something it shouldn't. it's a tiny go binary (less than 2k LOC) with no dependencies that will mount a webdav filesystem (no root) or NFS (root required) with fake secrets and send you a notification when anything accesses it. Very stupid simple. I've always really liked the canary/honeypot approach and this at least may give some folks a chance to detect (similar to like LittleSnitch) when something strange is going on!

Next time the attack may not have an obvious performance issue!

6 comments

dweinstein

someguyornotidk 2 days ago

Thank you for sharing this!

I always wanted to mess with building virtual filesystems but was unwilling to venture outside the standard library (i.e. libfuse) for reasons wonderfully illustrated in this thread and elsewhere. Somehow the idea of implementing a networked fs protocol and leaving system integration to the system never crossed my mind.

I'm glad more people are taking this stance. Large centralized standard libraries and minimal audited dependencies is really the only way to achieve some semblance of security. There is simply no other viable approach.

Edit: What's the license for this project?

dweinstein 1 day ago
hi, glad you like it and that it encourages you to try some things you've always wanted to do :-)
I was thinking for the license I'd do GPLv3. Would that work for you?
- someguyornotidk 6 hours ago
  
  Depends on what you want to achieve with your licensing, but I personally think GPLv3 is a really good fit for a project like yours.
  
  1 reply →

huevosabio 2 days ago

This is clever, and also interesting in that it could help stop the steal as it happens (though of course not perfect).

dweinstein 1 day ago

thanks for your feedback!
that's a really good point and could be an interesting thing to play with as an extension. Since we potentially know which process is doing the "read" we could ask the user if it's ok to kill it. obviously the big issue is that we don't know how much has already been shipped off the system at that point but at least we have some alert to make some tough decisions.