I'm a former pentester. I used to do this kind of work for a living. Secondly, the Snowden leaks were one of the most important events in modern history, and you're on here using them as a cheap way to push your own agenda. Thirdly, RMS hasn't been an active emacs developer for quite awhile, but you're still trying to criticize him.
To bring this back to the topic at hand: npm as an ecosystem is far more vulnerable than the points you mention. It's worth considering why people do not routinely pwn those who use npm. The fact that you are vulnerable does not mean it's a good idea to try to throw an entire ecosystem under the bus.
> Secondly, the Snowden leaks were one of the most important events in modern history, and you're on here using them as a cheap way to push your own agenda. Thirdly, RMS hasn't been an active emacs developer for quite awhile, but you're still trying to criticize him.
I don't see where you got any of that. I read point #11 as citing RMS in his capacity as an authority on GNU goals and principles, a capacity in which he still contributes guidance to Emacs and other GNU projects.
Maybe there's some context missing. GNU is an unapologetically political project; decisions are meant to be made not solely in pursuit of some narrow definition of technical superiority or correctness, but being mindful of their effects on the free software movement and human societies in general. From that perspective, it's completely reasonable to be surprised if a GNU project appears to be out of alignment with a major sociopolitical concern of RMS. For example, if GCC 9.0 were released under the original BSD license, people would be surprised and concerned for fundamentally similar reasons.
What's my agenda exactly and why do you think I'm criticizing RMS? Is that quote my words? And what does being a former pentester have to do with anything you said? Which ecosystem am I throwing under the bus?
The quality of HN is more important than winning. Let's have a conversation worth reading.
The reason I laid out some creds is because you seemed to ignore the substantive part of my comment, twice now.
It is tradition in the security field to make every security incident seem like a very big deal. (See tptacek's comment on cloudflare's memory leak, for example.) But just because there exist vulnerabilities, it does not mean that (a) anyone has exploited them or (b) that you are in any kind of danger.
I was shocked that I've been exposed to a dozen TLS vulns that might cause arbitrary code execution the whole time since package.el became a part of Emacs back in circa-2013.
This sentence makes it sound like anyone who has used emacs in any way since 2013 has been in immediate risk of having their computer taken over. Maybe that's true. But even if it were true, what precisely would the steps be to make this attack happen? Have you proved that it can be done?
EDIT: The main point I'd like to get across is that it's worth fixing security problems, but it's important to maintain a spirit of cooperation rather than accusation. Everyone has security issues. Even (perhaps especially) the big names that you wouldn't expect to. That's why people pay pentesters a lot of money -- we're effective at making sure no one else finds them before we do. But emacs doesn't have the resources to get a pentest, and out of all the security vulnerabilities they could possibly have, a few TLS flaws wouldn't even be marked as medium severity unless there were a direct way to take over a user's computer via the flaw.
I'm not trying to win anything, I'm trying to find out where that dismissive tone came from, and see if there's any merit.
Back to topic:
While I agree that being vulnerable is not the same as being attacked, I still have a hard time understanding why you seem to be downplaying the significance.
First of all, I don't have to prove anything, all the papers that describe actual explotable TLS vulns over HTTP and SMTP/IMAP equally applies to Emacs if you've ever downloaded something over HTTPS or login to a server say Github via an API package like ghub.el. Email is worse with STARTTLS, although the attributes are different. SMTP/IMAP connections tend to be much shorter and less frequent, so your area of exposure may be smaller> But since emails tend to contain a lot of vital PII, the actual harm is probably greater than knowing your session cookie for a blog. Losing email credentials is also quite devastating.
Second of all, TLS is mostly used to guard against all kinds of MITM attacks. There are some kinds of MITM attacks easier to carry out than others, and they don't have to be targeted. Logging into your email account using a coffee shop's wifi without checking for known vulns before tranmission of TLS records doesn't sound very comforting to me.
Security, most of the time is about prevention rather than mitigation after the fact, just like you would wear a seat belt even though your likelihood of dying in a car crash isn't very high. Am I supposed to be not shocked to discover my car comes with a seat belt made out of a thin piece of printer paper?
P.S Since we are putting out credentials, I used to work at Cloudflare, not that I was in any security or systems engineering capacity, but I have also been quite interested in security issues. I guess that makes me a "security-hobbyist".
//edit after your edit
You probably should stop accusing me of accusing anybody, that's the exact opposite of what I have done. Please read the last link in the article (https://lwn.net/Articles/759460/).
Think of it this way. Would it be reasonable for pentesters to say "You're critically vulnerable. But I haven't verified this"?
More times than I can count, when I went back to verify whether I was correct, I wasn't. For subtle reasons. If you haven't put in the work, you don't know whether you are right.
Security, most of the time is about prevention rather than mitigation after the fact, just like you would wear a seat belt even though your likelihood of dying in a car crash isn't very high. Am I supposed to be not shocked to discover my car comes with a seat belt made out of a thin piece of printer paper?
You have never worked in security. The fact that you're shocked at this shows how green you are. I don't mean that in a dismissive or insulting way, but if you'd just go do a stint as a pentester for a year, or talk to some pentesters in the field, you'll quickly stop being shocked at this.
You have a responsibility as someone who is presenting security issues to know what you're talking about. Most people listen to whoever talks the most confidently. And the bare minimum work is proving that the exploits you're presenting are actually applicable to the situation at hand.
Most people don't know security, and very few people will check your work to ensure it's correct. That means when some hobbyist steps up and starts yelling about theoretical issues, it's important to step in and say "Actually, these issues haven't been demonstrated."
What if it takes $100M to MITM someone? Would you say it's still worth being shocked that you're theoretically vulnerable to this? What is the precise cost of someone who actually wanted to MITM someone else using emacs? Have you done the math?
This isn't me downplaying the significance. This is me saying "Do the work." And if you haven't, then you should classify the vulns as low severity. That's what we did whenever we didn't know for a fact that you could own someone's app/box.
You seem to be singularly focused on pentesting, whatever that means to you, and I'm mostly concerned with leakage of information. Being able to prove whether I can pwn Emacs or not is irrelevent. For my purpose, all I have to establish is if Emacs is treated as a TLS client on internet. This is trivial.
> You have never worked in security. The fact that you're shocked at this shows how green you are. I don't mean that in a dismissive or insulting way, but if you'd just go do a stint as a pentester for a year, or talk to some pentesters in the field, you'll quickly stop being shocked at this.
Does the fact that you are numbed to snafus like this justify the terrible state of network security of a continuously maintained 30+ year old editor? I expected more from the countless number of Emacs hackers came before me.
I urge to you go thru the mailing list thread, but if you don't want to, I understand as it's rather long, but please don't assume you know what I've done or haven't done or how much I understand these issues, or my intentions. We've never met, never conversed before, you don't know anything about me.
To bring this back to the topic at hand: npm as an ecosystem is far more vulnerable than the points you mention. It's worth considering why people do not routinely pwn those who use npm. The fact that you are vulnerable does not mean it's a good idea to try to throw an entire ecosystem under the bus.