This argument is false on its face. There's overwhelming evidence in the Crowdstrike releases prior to the election[1]. And there's far more from them and at least half a dozen respected infosec firms. Literally any competent infosec practitioner who has looked at the evidence understands that Russian hacking activity was massively elevated in the run up to the election and explicitly targeted candidates and electoral functions.
So, what are your motivations in disputing well established facts? Are you just choosing to be intentionally contrarian and happen to have stumbled into on a subject you know nothing about? Or do you have some stake in willfully misinforming people on this subject?
> The network stack has been out of the content process for a super long time, it is not a new thing.
FWIW, Chrome's network stack doesn't live in the content process either. It's not currently sandboxed, but it's in a process that has no scripting runtime or other dynamic content, so it's still pretty high bar for exploit. The exact reasons for the current situation have to do with some legacy Windows support that has since been removed, which is why the sandboxing work is now moving forward. So, I definitely appreciate your situation with adding some sandbox exceptions for WebRTC.
> I suspect over time we'll see our respective sandbox models become more similar over time, especially on macOS.
Fair. But I will say that Chrome being cross-platform tends to naturally push us in the direction of eliminating sandbox attack surface. Our supported platforms just differ so much that it's easiest to lock down the OS as much as possible and implement narrower, origin-bound capability brokers inside Chrome. If I were more tightly bound to a given OS implementation, I expect I'd have a lot more fights about sandboxing, because it's easier for devs to just standardize on what the OS gives you.
I don't keep up too much on Safari these days, so congrats on moving the network stack out of the content process. But looking at the current WebProcess seat-belt policy and what gets initialized, it looks like there's still far too much attack surface relative to Chrome. Things like audio/video capture and other permissioned Web APIs appear to be permitted directly inside the sandbox. And the GPU attack surface alone is a giant vector for escape--plus all the other potential escape vectors posed by that very long list of mach services.
So yeah, the seat belt policies alone aren't determinative, which is why I called them "a rough analog". And it's hard to say what gets pulled in through warmup (which is why we'll be eliminating it with our v2 bootstrap sandbox). Accepting that, it's pretty clear that there's just dramatically less attack surface exposed from inside Chrome's sandbox versus Safari's.
Just to add some context, on macOS you can look at the seat-belt policy as a rough analog of for basic sandboxing guarantees, where the fewer exceptions you have the stronger your sandbox is. From that perspective, Chrome's policy has around 1/10th the exceptions of Safari.
And of course, that's before we get into more complex forms of isolation that Chrome implements, such as the sandboxed GPU process, or ongoing work into things like network sandboxing, the macOS bootstrap sandbox, and site isolation (origin-bound renderer sandboxing).
So, the thing we call "win32k lockdown" on Chrome is just a term for the various things we had to do to enable ProcessSystemCallDisablePolicy on our sandboxed renderer processes (the processes that handle Web content). ProcessSystemCallDisablePolicy is a very big hammer, because enabling it prior to process launch means the kernel blocks all GDI and NTUser calls, such that the process can't interact with the UI or graphics subsystems. Chrome can do this because our UI and graphics acceleration layer is split into our unsandboxed browser process and the more weakly sandboxed GPU process.
The difference with Edge and IE is that they run their UI and graphics stack in their content processes, which are an analog to Chrome's renderer processes. However, any UI on Windows requires win32k kernel support, so they can't disable it like Chrome does. Instead, Edge uses its win32k filter to limit the attack surface to only the calls that they need. So, where Chrome's architecture allowed us to make an aggressive cut, Microsoft is instead working to iteratively shut off the same attack surface in Edge.
And yes, the win32k whitelist is currently restricted to EdgeHTML processes by the kernel and signature enforcement. I know this because we currently sandbox our GPU process at about the same level as an IE content process, and we wanted to use the win32k whitelist get the same improvements as Edge. Unfortunately, Microsoft is still working on the capability, and is not ready to expose it to third-parties yet (but has given signs they may be willing to do so in the future).
Source: I lead engineering on Chrome security and am the original architect of Chrome's win32k lockdown.
Please don't spread misinformation. Here are the facts:
1. While the Hotword module was downloaded at startup, the feature was not activated without the user explicitly enabling it via the settings menu. <https://crbug.com/500922#c6>
2. Downloading the module in Chromium was a bug, and it was fixed after being reported. <https://crbug.com/50922#30>
3. The Hotword feature was dropped from Chrome not too long after, because it was an experiment that never really panned out (and was enabled by very few people).
> when riseup.net got an NSL to give access to the email accounts
This is simply not true. An NSL cannot be used to compel access to any communication content—and certainly not control of an account; they're limited solely to metadata (e.g. phone call records, IP addresses, billing metadata, etc.). I'm not a fan of NSLs, and strongly support repealing the section 505 expansion, but it behooves no one to lie about what an NSL is and what it can compel.
I actually watch Fox with some regularity and follow various conservative news sources. I may not agree with the views, but I want to understand where people are coming from. And Beck's show was consistently so far beyond the pale.
No, all we have right now are projections, which put Clinton at ~2% lead in the popular vote. We won't have final vote counts until probably December, because many millions of outstanding votes are still uncounted.
The same thing happens every presidential cycle. Counts come in much slower for populous states with large volumes of absentee, provisional, and mail-in ballots. Clinton is going to win these votes by something like a 2:1 margin.
I wonder whether you actually read the article you linked, because here's how he tries to shift the blame and deny his own accountability:
>Now, I’ve got people on the left accusing me of creating Donald Trump. And I’m like, “But I’m against Donald Trump. I warned against a guy like Donald Trump.” Well, you created the conditions that grew Donald Trump. “No, I didn’t. I think it was the government — both parties that weren’t listening to the people, that the people got so frustrated they wanted to burn the whole thing down.”
And here's the only thing he apologizes for -- a bullshit non-apology for tone rather than substance:
> And so I’ve been ringing that bell. And I’ve been telling you, “This is going to end in disaster. It’s going to end in disaster.” No exits left. There’s a cliff coming. That’s what I want to apologize for. I still believe that: there’s a cliff coming. But that is such a hopeless message that I can barely survive. And it’s because I have gazed upon the problems. That which you gaze upon, you become.
I'm not going to waste more time debating this, because there's literally nothing to debate. Beck did tremendous damage to the political discourse, and he's never owned up to to it. And what he's doing now to normalize Trump's dangerous behavior is only making the situation worse.
A non-free pass would mean Beck actually took responsibility for his actions and apologized rather than than attempt to excuse himself with false equivalence.
Let's be clear, he baselessly demonized Obama's presidency while the man was actively trying to reach across the aisle and even brought numerous Republicans into his administration. Beck fed lies and hate to incite an angry mob, and was a key player in the last eight years of the bitterest partisan divide and obstruction that we've experienced in the modern era. And now he's minimizing Trump's vile words and actions -- arguably a direct product of the climate Beck helped create -- because somehow Beck's own insane apocalyptic fantasies about Obama should normalize them? That is the furthest thing from an apology. It's a gross insult to anyone familiar with the facts, a cynical attempt to abdicate his personal responsibility, and attempts to mainstream the worst of Trump's behavior.
No. What Glenn Beck is doing right now is just pandering to his own audience that he was at risk of losing entirely if he didn't eventually fall in line with Trump.
Mentioning BadUSB very much implies confusion about the threat models at play. That is, the threat model for BadUSB is a malicious device that attacks the host OS, drivers, or applications. Whereas, the threat model for WebUSB is concerned with malicious sites attacking or abusing physical devices attached to the system.
So, the scenario you seem to be implying would require coordination between a malicious WebUSB site and a malicious device. While I can't claim that it would be impossible, it sure seems to approach de minimis if only given the extent of user interactions and preconditions.
So, what are your motivations in disputing well established facts? Are you just choosing to be intentionally contrarian and happen to have stumbled into on a subject you know nothing about? Or do you have some stake in willfully misinforming people on this subject?
[1] https://www.crowdstrike.com/resources/crowdcasts/bear-huntin...