Share this page!

Matthew Green Profile picture
Twitter logo
2 Nov, 8 tweets, 2 min read
Good thread about the recent Unicode attacks and some previous work that predates it. I agree that citations could be improved. But I want to push back a little. 1/
What was interesting to me about the recent Unicode/Trojan attacks (link below) isn’t that Unicode contains some exploitable fluffery. *Of course* it does. Unicode is terrible. 2/ trojansource.codes
What was surprising to me is how many compilers, source management tools and IDEs were vulnerable to the attacks. I expected this from pomo languages like, say, Golang or Swift. But even compilers for ancient languages like C/C++ were happy to eat Unicode and not complain. 3/
This is a pretty common thing in infosec, where somebody says “that attack isn’t new, it’s been known for years” and then you look around and literally *everything* is still vulnerable to it. Maybe “new” isn’t what’s important. 4/
Over the past few days we’ve seen several advisories from compiler developers, source management systems and others. This is the result of a coordinated disclosure process, and, yes publicity process (with a website and logo!) That’s a good thing! 5/
To me what distinguishes this work is not “we found a vulnerability,” because the vulnerability is itself is fairly simple. But rather the effort that was put into classifying all the vulnerable tools and scanning for pre-existing exploitation. Thank god for grad students. 6/
With all those things said, crediting previous work is really important. And I think the citation here could be a lot more robust. 7/
Anyway, to conclude: we shouldn’t worry about 0days. We should worry about the 1538days that someone discovered, described in a quick blog or pastebin, and are now lying around for someone to find and exploit. //

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Matthew Green

Matthew Green Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @matthew_d_green

Matthew Green Profile picture
1 Nov
If the house has a spooky iron gate but the porch light is on, do you trick or treat? Image
You’d expect these houses just to be full of candy. Image
Ok this is extremely unacceptable people. Image
Read 6 tweets
Matthew Green Profile picture
29 Oct
“Hard drive”? You mean Dropbox, Overleaf, Github and Google Drive, right? I’m sure they’ll all keep my data forever.
Fortunately I’m clever and I’ve checked my Dropbox into Github.
I keep every academic project since 2003 in a directory named src2/. Why src2? Because six years and three laptops ago I somehow corrupted src/ and was afraid to overwrite it. In 2025 I anticipate an upgrade to src3/.
Read 6 tweets
Matthew Green Profile picture
25 Oct
Imagine creating a social media company and rigging the stock so nobody can ever depose you, and then *not* creating a giant candy factory staffed with weird and magical helpers.
Whenever I read about the exploits of Zuck I’m like SMH that’s what people who actually worry about their jobs do, you dumbass.
“Oh no, promoting voter info might make idiots think my company is politically biased, then we’d have a 4% drop in weekly engagement…”

Seriously, you could invent chewing gum that never loses its flavor and this is what you choose. Image
Read 4 tweets
Matthew Green Profile picture
25 Oct
Yes, moderation is going to be harder in end-to-end encrypted spaces. You know what else is going to be harder? Algorithm-driven content amplification. And trust me, one of these things is doing way more damage.
The thing about end-to-end encryption (E2EE) is that it’s absolutely tractable to moderate conversations *if* participants report problems. This voluntary reporting capability is already baked into some systems through “message franking” 1/
So when we say “moderation of E2EE conversations is hard” we’re basically saying “moderation is hard if we’re talking about small(ish) closed groups where not one single participant hits the ‘report abuse’ button.” 2/
Read 10 tweets
Matthew Green Profile picture
24 Oct
I don’t know what to make of the accusations re: Chrome logins in the revised antitrust complaint against Google, but I’m now really looking forward to learning more.
A few years back, Google activated a feature that would automatically log you into the Chrome browser anytime you logged into a Google site. This made it basically impossible to be logged out of Chrome if you used Google accounts.
The Chrome engineers said that they had to do this because users with multiple accounts were getting confused — apparently the idea that some people might not want Chrome to be logged in was not contemplated.
Read 6 tweets
Matthew Green Profile picture
21 Oct
My students have abandoned the lab and may never go back. Image
Every now and then I send one of the faster ones in for white board markers, not because I need them but because it’s super funny.
(This is a joke, by the way. You always need more whiteboard markers.)
Read 8 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!

Like this author's thread?

Get emails when @matthew_d_green has new unrolls!

Check out other threads from @matthew_d_green!

Read all threads by @matthew_d_green

:(