Insecurity and Python pickles

Posted Mar 14, 2024 18:28 UTC (Thu) by pizza (subscriber, #46)
In reply to: Insecurity and Python pickles by adobriyan
Parent article: Insecurity and Python pickles

> This is easily fixable by casting spell called "Criminal Negligence" readily available in most countries.

Except that criminal laws are not retroactive.

> Whoever enables eval() equivalent by default goes to prison.

Ok, so users have to change the default setting to achieve common legitimate use cases.

Or they're prompted "do <potentially dangerous thing> Y/N?" so often that they automatically say "Yes" without thinking about it any more.

....That which makes computers useful also makes them dangerous. And the definition of each varies on an individual and/or situational basis.

to post comments

Insecurity and Python pickles

Posted Mar 14, 2024 19:01 UTC (Thu) by adobriyan (subscriber, #30858) [Link] (2 responses)

> > This is easily fixable by casting spell called "Criminal Negligence" readily available in most countries.
> Except that criminal laws are not retroactive.

I'm not proposing new law. I believe all the laws are in place already, it is just that governments chose to not exercise them.

I remember Nimda pandemic while at the university. Us, Linux users were laughing at Windows suckers.
But our machine was dual booting so we were laughing at ourselves too.

It is unthinkable how Microsoft was not crucified for those stunts. It was so easy politically.

> > Whoever enables eval() equivalent by default goes to prison.
> Ok, so users have to change the default setting to achieve common legitimate use cases.

Yes, and then it is not on the manufacturer.

> Or they're prompted "do <potentially dangerous thing> Y/N?" so often that they automatically say "Yes" without thinking about it any more.

Police officers don't even get prompted by their gun's safety lock, they just disable it and shoot the criminal if necessary.
Somehow, the society lives with it and this situation is considered OK by general public, gun manufacturers, police and soldiers.
Nobody is saying "hey, police officer would have override safety lock so many times in his career that they would do it without thinking".
Maybe it is time to stop saying that when talking about software.

Insecurity and Python pickles

Posted Mar 14, 2024 19:28 UTC (Thu) by pizza (subscriber, #46) [Link]

> Police officers don't even get prompted by their gun's safety lock, they just disable it and shoot the criminal if necessary.

So? Police weaponry is specifically designed to kill or otherwise incapacitate; they have no other legitimate uses. [1]

Whereas these "dangerous" software features are used as intended by untold millions of office drones every single day.

[1] They are also used to project the implicit and explicit threat of potentially lethal force should you not submit to their authority.

Insecurity and Python pickles

Posted Mar 14, 2024 20:34 UTC (Thu) by dvdeug (subscriber, #10998) [Link]

> Maybe it is time to stop saying that when talking about software.

Do you want actual security, or are you just trying to shift the blame?

Everyone of us has run into an interface where it demands "are you sure you want to do this?" and you hit yes without thinking because you've been asked that question over and over when you're trying to do exactly that. There is some user blame where the user understands the question (e.g. "are you sure you want to delete this file?"). However, "do I want this spreadsheet to work?" -- when 99% don't have a clue what that means and the remaining 1% _could_ spend the next hour doing a forensic examination of the guts of the spreadsheet but aren't going to waste their time without reason -- is just blame-shifting.

Even a question of "this spreadsheet is trying to write to an external file. This is a warning sign of a malicious spreadsheet; do you want it to continue?" is going to auto-yessed by 50% of the users, and it's going to be a pain using the office spreadsheet that does do that for non-malicious purposes, because 15% of the users are going to auto-no that, even when they're prewarned. That's not completely security theater, but the fail cases on both sides makes it pretty ineffective.