FAQ Off: An Open Source Project to Defeat Harassment Mobs and Anti-Intellectualism

Soatok Dreamseeker — Mon, 13 Apr 2020 09:23:23 +0000

Social media is inherently asymmetric. That observation shouldn't surprise anyone. After all, most of us have a very small number of followers, but some people command the attention of hundreds of thousands or even millions.

But the asymmetry of social media cuts both ways. Ask anyone who has ever been the target of a harassment mob, and they'll tell you all about it.

A popular technique used by Internet trolls and mob-harassers is called Sea-Lioning, which involves (often multiple) throwaway accounts demanding answers to a tired line of loaded questions, usually while maintaining the veneer of civility.

Even when a victim is successful dealing with sea-lioning, it can be very exhausting and draining for them to do so.

Which brings us to FAQ Off, an open source toolkit for undermining the tactics of trolls and harassment mobs.

FAQ Off Aims to Invert the Exploitable Asymmetry of Social Media

It used to be the case that you had two options:

Engaging with a (potentially large) number of boring Internet trolls who are not acting in good faith.
Say nothing and let their replies pollute your community with their toxicity, thereby tacitly endorsing the radicalization of your friends.

With FAQ Off, you're given a third choice: Take control of the narrative by writing responses to their questions, and the obvious follow-ups to those questions, and so on recursively. And then, all current and future iterations of the same tired line of questioning can be answered by a simple hyperlink instead of wasting your time again.

If this sounds confusing, how about a demonstration? Here's a URL you can link people in response to them saying, "I hate furries.": https://faq.dhol.es/@Soatok/furry-fandom/i-hate-furries

FAQ Off is the cross-product of Q&A sessions with text adventure games.

Here's another demo. This one deals with common misconceptions about VPN services: https://faq.dhol.es/@Soatok/cryptography/which-vpn-service-will-protect-me-from-hackers

Of course, if you'd prefer the dog-fooded explanation for this project, read here instead.

Write once, link ad nauseum

If you're in touch with the news and recent events, you may be concerned by the trend of anti-intellectualism that's taken hold for the past decade or so.

If nothing else, FAQ Off may provide a platform for experts to automate the uninteresting conversations debunking common myths and falsehoods that perpetuate the 24-hour breaking news cycle and tabloid journalism so they can focus instead on providing actual insight into their area of expertise.

The sky is the limit.

What Are FAQ Off's Features?

Interactive Question and Answer Website:
- Guide your readers to the answers to their question.
- Short-circuit common lines of disruptive discourse. Write once, answer ad nauseum!
HTML and Markdown Support
Troll and Spam Defense:
- Administrators can enable "invite only" mode, which requires an invitation code from an existing user to sign up.
- The invitation tree: Administrators can see who invited who, to identify common entry points of misbehaving users to curate their own community.
Collaboration:
- Users can share an Author profile with colleagues and publish as a group.
- Users can belong to an unlimited number of Authors.
- Authors can share access to an unlimited number of users, or just one.
Security:
- Entries are written in HTML / Markdown and processed by HTML Purifier to protect against cross-site scripting attacks.
- Passwords are stored securely, or you can use Twitter.
- Your username or Twitter handle is only knowable by administrators. A randomly generated Public ID is provided to keep your login handle and/or Twitter handle anonymous to everyone else.

Where Can I Find It?

FAQ Off is on Github: https://github.com/soatok/faq-off

Secure Automatic Updates for Electron Apps

Soatok Dreamseeker — Thu, 05 Sep 2019 12:54:27 +0000

There are a lot of popular desktop applications today written in Javascript and HTML, thanks to frameworks like Electron. The most noteworthy example that comes to mind is Streamlabs OBS, which is popular among Twitch streamers.

A lot of these apps even include a self-update mechanism for ensuring users are always on a recent version of the software. However, self-updaters are a land mine (or a gold mine, depending on your perspective) of security risks.

However, they're definitely worth the risk. It's just important to do them right.

Understanding the Risks Inherent to Automatic Updates

In general, the best way to understand security risks is to think like a bad guy, then try to outsmart yourself.

If you wanted to install malware on thousands (or millions) of computers, and all of the targets you were interested in were running some software that has a self-update mechanism, wouldn't it make perfect sense to attack the update server and replace the update file with your malware?

This isn't just a theoretical risk. Both download links and self-updaters have historically been used to spread malware in the past.

Let's assume someone hacks into your update server and publishes a fake update for your app that contains their malware of choice. How can we stop them from infecting our users?

Can we use cryptographic hash functions?

No! Hash functions don't help us here.

There's a lot of "old school" ideas about download authenticity. The idea of "just verify hashes/checksums" doesn't work because there are no secrets the attacker cannot access.

Isn't HTTPS (HTTP over TLS) enough?

TLS is good, and I would argue, necessary for solving this problem. But it is, in and of itself, inadequate.

As the name Transport-Layer Security implies, TLS protects data in-transit. It provides no at-rest authenticity for the update file sitting on the server. If someone can hack the other endpoint, TLS doesn't help you.

What Actually Works?

Digital Signatures work!

Digital Signatures are a class of asymmetric cryptography algorithms that compute a signature of a message, generated by a secret signing key (or "private key" in Academic Speak), which can be verified by a publicly known verification key (a.k.a. "public key").

Due to the nature of asymmetric cryptography, only your signing key needs to remain secret.

So what you have to do is:

Generate a digital signature of your update files, offline.
Upload the signature alongside your update files to the update server.

And viola! Now even if someone hacks into the update server, they cannot push malware onto your users without further attacks in order to steal your signing key. If you keep this key in a computer that is never connected to the Internet, stealing it becomes prohibitively expensive for most attackers.

But is a digital signature by itself adequate for developing a secure automatic update system?

The experts say, "No."

That being said, digital signatures are a fundamental component to any effort to secure software updates. You cannot remove them from the equation without making the system less secure.

The full solution consists of each of the following:

Digital signatures
Reproducible builds
Binary transparency (a.k.a. Userbase Consistency Verification)
- This uses cryptographic ledgers, but be wary of anything with "blockchain" in its sales brochure
Transport-Layer Security (to prevent Man-in-the-Middle replay attacks to keep targeted systems vulnerable forever)

That might sound daunting, but I didn't just write this post to talk about the theory of secure automatic updates with respect to Electron apps. Experts have already talked about the problems and solutions at length before.

Today, I'd like to introduce you to my solution to the problem (which was based off the work done to secure WordPress's auto-updater).

Project Valence

Project Valence (named after valence electrons) is my framework for self-updating Electron apps. It consists of three main projects.

libvalence is the component you would add to an existing Electron.js project in order to facilitate secure updates
valence-devtools is a npm package you'll want to install globally in order to package, sign, and release updates
valence-updateserver is a web application that exposes an API that the other two projects can communicate with in order to upload/download updates and signatures

The cryptography used by Valence is Dhole cryptography, an easy-to-use libsodium wrapper.

For signatures, Dhole uses Ed25519 (with an additional 256-bit random nonce to make fault attacks more difficult if reimplemented in embedded systems).

Valence Update Server

The install/setup instructions are available on Github.

This exposes a REST + JSON API that the other components communicate with. In order to publish anything on the update server, you will need a publisher account and at least one project. You will need a publisher token to use the dev tools.

Valence Dev Tools

The dev tools documentation fits well within the README on Github.

The devtools were designed so that you can quickly run the ship command to build, sign, and upload a new release all in one fell swoop, or break each step into an atomic command (i.e. to facilitate offline signatures with an airgapped machine).

Libvalence

This is the meat and potatoes of this post: Making your code self-update.

My goal with this project was to ensure you don't need a cryptography engineering background to set this up properly. Once you have access to an update server and the dev tools installed, the rest of the work should just be using a simple API to solve this problem.

The API looks like this:

const { Bond, Utility } = require('libvalence');

let bond = Bond.fromConfig(
  'Project Name',
  __dirname + "/app", // Path
  ['https://valence.example.com'],
  [] // Serialized public keys (generated by dhole-crypto)
);

/**
 * @param {string} channel
 * @param {string|null} accessToken
 */
async function autoUpdate(channel = 'public', accessToken = null) {
  if (accessToken) {
    bond.setAccessToken(accessToken);
  }
  let obj = await bond.getUpdateList(channel);
  if (obj.updates.length < 1) {
    // No updates available
    return;
  }
  let mirror = obj.mirror;
  let update = obj.updates.shift();
  let updateInfo = await fetch.fetchUpdate(update.url, mirror, bond.verifier);
  if (updateInfo.verified) {
    await bond.applier.unzipRelease(updateInfo);
  }
}

You can also ensure all updates are published on a cryptographic ledger, specify your own automatic update policy (the default policy is semver: patch updates are auto-installed, minor/major updates are not).

An important (but easily overlooked) feature is the concept of release channels.

You can, from the update server, generate access tokens that have access to a specific subset of channels (e.g. public and beta releases but not alpha or nightly releases).

This concept is implemented so that developers can offer exclusive access to early releases to their paid supporters (e.g. via Patreon), and bake that access directly into their automatic updates.

Want to Contribute?

All of these projects are open source on Github, but my development efforts are funded through Patreon supporters.

I also stream most of my open source development on my Twitch channel.

DEV Community: Soatok Dreamseeker