development programming security

NMandelbrot : running arbitrary code on client

As part of my grand plan for map-reduce in JavaScript and zero-install distributed computing, I had to think about how to gain user trust in a security context where we don’t trust the server. I couldn’t come up with a good answer.

Since then, we’ve seen stories of malicious JavaScript installed to mine cryptocurrencies¬†, we know that JavaScript can be exploited to read kernel memory, including passwords, on the client, and I suspect we’ll see a lot more restrictions on what JavaScript is allowed to do – although as the Spectre exploit is fundamentally an array read, it’s going to be a complex fix at multiple levels.

I had ideas about how to sandbox the client JavaScript (I was looking at Python’s virtualenv and Docker containers to isolate code, as well as locking them into service workers which already have a vastly more limited API), but that relies on the browser and OS maintaining separation, and if VMs can’t maintain separation¬†with their levels of isolation, it’s not an easy job for browser developers, or anyone running on their platform.

I also wondered if the clients should be written in a functional language that transpiled to JavaScript, to have language level enforcement of immutability and safety checks. And of course, because a functional style and API provides a simpler context to reason about map-reduce, by avoiding any implicit shared context.

Do you allow someone else’s JavaScript on your site, whether a library, or a tracking script, or random ads from Russia, Korea, botnets and script kiddies? How do you keep your customers safe? And how do you isolate processes you trust from processes that deal with the outside world and users? JavaScript will be more secure in the future, and the research is fascinating (JavaScript Zero: real JavaScript, and zero side-channel attacks) but can you afford to wait?

Meltdown and Spectre shouldn’t change any of this. But now is a good time to think about it. Make 2018 the year you become paranoid about users, 3rd parties and other threats. The year is still young, but the exploits are piling up.



Who do you work with?

In every company, and in larger companies, every department and location, there are key players who make the company work. They might be the boss who sets a clear vision, they might be the admin who goes above and beyond, they might be social butterfly who knows everyone. Whoever they are, they are the ones that keep the team working. And when any of them leaves, the dynamic of the team changes. Not always for the worst, but there is always a period of adjustment.

Sometimes however, several of them leave in quick succession, like canaries at the coalface. Or maybe they just stop doing what makes them effective, new directives from above, too busy on chargeable time, or something else. Suddenly the team starts jarring, and you don’t necessarily know why, because you haven’t seen what they’ve been doing behind the scenes. But if you feel that tide, you’ll know everyones getting their CVs ready, either to jump up or to jump out.

If you don’t know who your canaries are, keep a lookout, because apart from the leadership team, there’s likely a few you haven’t noticed. Who is really pulling the strings? Who goes above and beyond? Who seems to turn up in unexpected places? Who is the person people turn to when things go wrong or they need advice? Don’t go looking for the people who surround themselves in lights, who have a Heart of Gold and want you to know it. Look for those who are looking out for people who are invisible. Who is kind to the cats?

But equally, be wary of the teams where the canaries don’t get a chance to be found because something else gets in the way. The teams heavily populated by graduates, or men, beyond the industry norms. If toxicity is bred into the culture, the fatal warnings are much harder to spot. Toxic culture shields egos and protects the status quo, weeding out dissent even when that dissent is essential for the survival of the team.

Know who you are working with.