User avatar
🇨🇦Samuel Proulx🇨🇦 @fastfinge@interfree.ca
Admin
completely blind computer geek, lover of science fiction and fantasy (especially LitRPG). I work in accessibility, but my opinions are my own, not that of my employer. Fandoms: Harry Potter, Discworld, My Little Pony: Friendship is Magic, Buffy, Dead Like Me, Glee, and I'll read fanfic of pretty much anything that crosses over with one of those.
keyoxide: aspe:keyoxide.org:PFAQDLXSBNO7MZRNPUMWWKQ7TQ
Location Ottawa
Birthday 1987-12-20
Pronouns he/him (EN)
xmpp fastfinge@im.interfree.ca
keyoxide aspe:keyoxide.org:PFAQDLXSBNO7MZRNPUMWWKQ7TQ
User avatar
🇨🇦Samuel Proulx🇨🇦 @fastfinge@interfree.ca
1mo
@MostlyBlindGamer @NVAccess Public criticism of the security model is disclosure I guess. Other than complain about inaccuracies I’ve gone out of my way to correct, NVaccess has declined to respond to the actual problem here: virus total scanning is ineffective, and gives users a false sense of security, while being easy for malicious addons to work around. That’s not an exploit! That’s the system working as designed!
1
0
1
0
User avatar
🇨🇦Samuel Proulx🇨🇦 @fastfinge@interfree.ca
1mo
@NVAccess @tspivey So the answer to a poorly thought out security model is to demand that discussions of it happen in private? That’s an even worse decision than the one I’m upset about.
0
0
1
0
User avatar
🇨🇦Samuel Proulx🇨🇦 @fastfinge@interfree.ca
1mo
@tspivey @NVAccess Also, I have two trusted addons, one in the store. Give me $500 per addon and I’ll make sure everyone running my addons never see that your addons have viruses. And when your malicious addon eventually gets removed, mine will probably remain unnoticed in the store so I can sell my result modification to my next customer. This is a joke! Not a real offer! But someone could easily do this. The only practical defence is for users to know and trust the developers of there addons. Not just to be not evil, but also to be skilled. Once you have a single addon installed, you can no longer trust anything NVDA reports unless you trust that addon author. That’s why I think we need pgp keys and author identities front and center. All a virus total scan can do is, at best nothing, and at worst convince a user that an addon is safe when it isn’t.
1
0
0
0
User avatar
🇨🇦Samuel Proulx🇨🇦 @fastfinge@interfree.ca
1mo
@tspivey @NVAccess Right. But what I don’t understand is why they’re spending resources on this. It doesn’t inconvenience any users, sure. But it also doesn’t inconvenience any attackers. And for inexperienced users, a virus total result saying “0 threats sounds the same as saying this addon is safe. What NVDA can do is make assertions about who developed any given addon. Users can then decide if they trust that developer or not. IMHO, that’s where effort should be spent. Not in pretending to play a threat detection game that even the likes of Google and Microsoft can’t win.
0
0
0
0
User avatar
🇨🇦Samuel Proulx🇨🇦 @fastfinge@interfree.ca
1mo
@J3317 @NVAccess Do you mean the text field with unclickable links?
1
0
0
0
User avatar
🇨🇦Samuel Proulx🇨🇦 @fastfinge@interfree.ca
1mo
@NVAccess And I have to push back here, as well. When I go to the addon manager, and brows for and install addons, where do I see this information? There’s no rating like in the chrome or edge addon store. No number of reviews. No number of installs. No easy way to see other addons by the same developer, so I can judge if they’re an active part of the community, or malicious, or what. No contact info for the author. Maybe this is all on a website, or in a group I’m not subscribed to. But for the purposes of helping a user judge if an addon is trustworthy or not, that’s effectively nowhere.
1
0
0
0
User avatar
🇨🇦Samuel Proulx🇨🇦 @fastfinge@interfree.ca
1mo
@tspivey @NVAccess I’ll grant you that I was incorrect about it being delivered in the manifest. But from the perspective of a malicious addon author, I’m not sure how it’s delivered really makes any difference if I can still intercept and modify it at will. It’s still data that the users local copy of NVDA, running on the user’s machine with the user’s addons of unknown providence installed, cannot trust. I admit I’m not the expert either of you are, but I can’t think of a way around this that doesn’t have other awful side effects. It would be safer for everyone for NVAccess to work on developing a trust model for addon developers and a reputation system for addons, rather than pretending it can make any claims at all about the safety of an addon. Again, unless I’m wildly wrong somewhere. And if I am, I’d love to know.
1
0
0
0
User avatar
🇨🇦Samuel Proulx🇨🇦 @fastfinge@interfree.ca
1mo
@tspivey @NVAccess I also think it’s fair to say that any malicious payload delivered via an NVDA Addon is going to be targeted to NVDA users. So you have to assume it knows about NVDA’s security process. So once again, unless I’ve misunderstood a lot more than I think I have, a Virus Total scan is nothing more than a placebo at best. I’d love to be wrong here.
1
0
0
0
User avatar
🇨🇦Samuel Proulx🇨🇦 @fastfinge@interfree.ca
1mo
@tspivey @NVAccess I can see the dictionary that contains them in the Python Console. So how they’re delivered really doesn’t matter, if we assume either that I’m malicious or am working for another malicious actor.
0
0
0
0
User avatar
🇨🇦Samuel Proulx🇨🇦 @fastfinge@interfree.ca
1mo
@tspivey @NVAccess My understanding is that NVDA adds them in during its build/test process. They’re then stored on the users machine, fully accessible to addon authors to add our own fake results, or overwrite others, or do whatever we want.
0
0
0
0
User avatar
🇨🇦Samuel Proulx🇨🇦 @fastfinge@interfree.ca
1mo
@NVAccess But you haven’t stopped that from happening. Any addon can still do that. So what threat, exactly is Virus Total defending against? Users who run Windows Defender will already have it intercept known viruses. Unknown viruses aren’t likely to be picked up by defender or Virus Total. Malicious addon authors can just add code into the addon that will download the virus later, and thus never be scanned by Virus Total. I guess maybe you’d catch supply chain attacks? Those of us who distribute outside of the NVDA store can continue doing whatever the heck we want, but now we can also stick fake Virus Total keys into the addon.
0
0
0
0
User avatar
🇨🇦Samuel Proulx🇨🇦 @fastfinge@interfree.ca
1mo
@jaybird110127 @NVAccess I thought that was obvious enough to not need saying. But perhaps it wasn’t, so thank you for saying it. Chrome addons, and even Android and IOS apps, do this constantly. But Google and Apple have to keep fighting the good fight, and ever restricting functions, because there are just so many app developers that expecting users to know who any of them are or who they can trust is impossible. In the much smaller community of addon developers, that’s really not the case.
0
0
0
0
User avatar
🇨🇦Samuel Proulx🇨🇦 @fastfinge@interfree.ca
1mo
@NVAccess As for reaching out privately: the fact that the entire security model here seems completely wrong to me isn’t a vulnerability. It’s endemic to your design. And I have no idea what the store does with it, but I can absolutely put my own virustotal results in a manifest of an addon distributed outside of the store. So NVDA can’t make any assertions based on that data unless it could guarantee the addon was installed from the store. And that would involve…I guess having a local list of the hashes of every single addon? The only way you can secure addons is by restricting the functions available to them, in ways I’m certain I and other users would find unacceptable. So your only workable recourse is to develop a model that strongly relies on author trust, reputation, and audit ability. To be totally honest, this feels like NVDA has not done threat modeling at all, doesn’t understand what threats an “addon security” system is attempting to prevent or what’s realistic, and hasn’t put long and hard thought into balancing the security triangle for users. Instead, from the outside, a virus total scan looks like “we must be seen to be doing something, and this is something.”
1
0
1
0
User avatar
🇨🇦Samuel Proulx🇨🇦 @fastfinge@interfree.ca
1mo
@NVAccess But this is utterly meaningless. Any addon can download and run any code it wants, from any URL. So there is no guarantee the addon isn’t running malicious code. As long as the addon can download and run its own code, the virus total results can’t mean anything. So they’re security theatre, as I said. Either NVDA blocks addons from downloading arbitrary files to the user’s machine completely, NVDA manually reviews all addon code (and the code of any network servers the addon uses), or the Virus Total results in the store are useless.
1
0
0
0
User avatar
🇨🇦Samuel Proulx🇨🇦 @fastfinge@interfree.ca
1mo
@jscholes @NVAccess @alexhall The best way to avert the issue is to make infrastructure decisions that don’t allow it to happen. With a little thought that’d easily be possible. But slapping a virus total scan that can’t be helpful doesn’t demonstrate the kind of thoughtful approach needed.
0
0
0
0
User avatar
🇨🇦Samuel Proulx🇨🇦 @fastfinge@interfree.ca
1mo
@jscholes @alexhall But that’s never, ever what happens. As soon as any infrastructure exists to stop you running code they can’t control they always use it to stop you doing things they don’t like. In the name of security, of course.
1
0
0
0
User avatar
🇨🇦Samuel Proulx🇨🇦 @fastfinge@interfree.ca
1mo
@prism This is why you track reputation. Number of false reports, account age, etc.
0
0
0
0
User avatar
🇨🇦Samuel Proulx🇨🇦 @fastfinge@interfree.ca
1mo
The blindness community is also quite interconnected. If we wanted to, a "web of trust" would be more possible for us than other communities. We regularly gather at conventions (NFB, ACB, Sight Village, Zero Project, etc.) so with accessible, easy to use and understand tools, keysigning parties could easily happen. We've already moved to the because it's more accessible, and obviously better for our needs. Let's keep thinking differently about centralization and privacy; we might discover there are other methods that will work better for us and our needs, without restricting our rights, privacy, or functionality.
0
5
7
0
User avatar
🇨🇦Samuel Proulx🇨🇦 @fastfinge@interfree.ca
1mo
An actual security solution:
* allow user reviews of addons
* allow users to report addons
* remove addons from the store after X number of reports
* have a reputation system for addon developers (How many addons? How many versions? How long have they been around?)
* allow high reputation developers to do code reviews of other addons and submit the results

This would help for addons in the store. For addons not in the store, users are on their own. However, even for non-store addons, NVDA could do things that would reduce risk:
* Check PGP keys. An addon that claims it was by fastfinge but isn't signed by my PGP key won't run. Public keyservers already exist; NVDA doesn't need to build infrastructure, or in any way gatekeep or endorse developers to do this.
* reserve addon names: fastfinge is the known developer of unspoken-ng. So flag a big warning before running a version of unspoken-ng developed by BobTheBad man. And don't run a version of unspoken-ng not signed by fastfinge's known PGP key at all.

There are ways to let users understand if an addon can be trusted, or how much, and who made it, without centralizing on the store, pointlessly scanning with VirusTotal, etc. NVDA addon security based on restricting functionality is never going to work. So instead, we need to create the tools to build trust models of developers, and know exactly who wrote and signed off on the code we're running.
3
6
6
0
User avatar
🇨🇦Samuel Proulx🇨🇦 @fastfinge@interfree.ca
1mo
@MostlyBlindGamer Yeah, but I know you've deceived me, Now here's a surprise. I know that you have, 'Cause there's magic in my eyes. I can see for miles and miles, And miles and miles...
1
0
1
0