Archive for April 16, 2024

Tuesday, April 16, 2024

Twitter’s Pivot to x.com Is a Gift to Phishers

Brian Krebs (Hacker News):

On April 9, Twitter/X began automatically modifying links that mention “twitter.com” to read “x.com” instead. But over the past 48 hours, dozens of new domain names have been registered that demonstrate how this change could be used to craft convincing phishing links — such as fedetwitter[.]com, which until very recently rendered as fedex.com in tweets.

[…]

The apparent oversight by Twitter/X was cause for amusement and amazement from many former users who have migrated to other social media platforms since the new CEO took over. Matthew Garrett, a lecturer at U.C. Berkeley’s School of Information, summed up the Schadenfreude thusly:

“Twitter just doing a ‘redirect links in tweets that go to x.com to twitter.com instead but accidentally do so for all domains that end x.com like eg spacex.com going to spacetwitter.com’ is not absolutely the funniest thing I could imagine but it’s high up there.”

I still go to twitter.com, which serves links to twitter.com rather than x.com. And if I go to x.com it redirects me to twitter.com.

Previously:

Update (2024-04-24): See also: Bruce Schneier.

Update (2024-05-17): Jay Peters and Thomas Ricker:

The social network formerly known as Twitter has officially adopted X.com for all its core systems. That means typing twitter.com in your browser will now redirect to Elon Musk’s favored domain, or should.

Update (2024-05-20): See also: DataChazGPT.

The Apple curl Security Incident

Daniel Stenberg (Hacker News, Slashdot):

The friendly reporter showed how the curl version bundled with macOS behaves differently than curl binaries built entirely from open source. Even when running the same curl version on the same macOS machine.

The curl command line option --cacert provides a way for the user to say to curl that this is the exact set of CA certificates to trust when doing the following transfer. If the TLS server cannot provide a certificate that can be verified with that set of certificates, it should fail and return error.

[…]

When this command line option is used with curl on macOS, the version shipped by Apple, it seems to fall back and checks the system CA store in case the provided set of CA certs fail the verification. A secondary check that was not asked for, is not documented and plain frankly comes completely by surprise.

[…]

This is a security problem because now suddenly certificate checks pass that should not pass.

Yet another case where Apple’s security team doesn’t agree about what constitutes a security issue.

Previously:

The Race to Replace Redis

Steven Vaughan-Nichols (via Hacker News):

For those of you who aren’t open-source licensing experts, this means developers can no longer use Redis’ code. Sure, they can look at it, but they can’t export, borrow from, or touch it.

Redis pulled this same kind of trick in 2018 with some of its subsidiary code. Now it’s done so with the company’s crown jewels.

Redis is far from the only company to make such a move. Last year, HashiCorp dumped its main program Terraform’s Mozilla Public License (MPL) for the Business Source License (BSL) 1.1. Here, the name of the new license game is to prevent anyone from competing with Terraform.

Joe Brockmeier (via Hacker News):

So it should be apparent that code contribution is beside the point. Redis is a venture-backed company that has taken more than $350 million in funding over many rounds since 2011. The company, and its investors, seem to have calculated that they can safely move away from open source to try to capture more revenue.

They have some reason to believe this is the case, if MongoDB’s results are any guide. The company went public in 2017 and moved to the SSPL a little more than a year later. Shortly afterward, major Linux distributions stopped packaging the database because it no longer met their licensing standards. But, by that time, the company had set its sights on a platform model that would encourage developers (and their employers) to use and pay for MongoDB and ancillary offerings with the as-a-service model. Distributing a source-available version of MongoDB could be seen as a loss-leader strategy to reach developers that the company wagered did not care about open-source.

[…]

Having to find a replacement to ship in place of Redis is not the only problem for community distributions. Jacob Michalskie called out several services in use by the openSUSE project that will need a Redis replacement, including the Pagure code-hosting software (created and used by Fedora as well) used for code.opensuse.org, and the Discourse forum software.

[…]

It is, of course, too soon to predict whether one or more of the forks will gain significant traction—but it seems likely that Valkey will be a credible alternative. The possibility of a swift fork with widespread community and industry backing should give pause to vendors who expect a smooth path after abandoning open source.

Previously:

Update (2024-04-24): Gergely Orosz:

Redis will probably be the case study on why it’s a terrible idea for a VC-funded company (Redis Labs) to take over a permissive open source project they did not start (Redis), become the de facto owners, and then “rug pull” (change the license).

Mojo Is Open Source

Modular (Hacker News):

We firmly believe for Mojo to reach its full potential, it must be open source. We have been progressively open-sourcing more of Mojo and parts of the MAX platform, and today we’re thrilled to announce the release of the core modules from the Mojo standard library under the Apache 2 license!

[…]

Beyond just providing source code, we are also opening up revision history for the standard library, releasing nightly builds of the Mojo compiler, providing public CI, and allowing external contributions through GitHub pull requests. This is expensive and non-trivial to set up, but in our experience, it's critically important to allow the community to scale.

Previously: