Bash was designed decades before the current security environment, and contains many insecure-by-default mechanisms, many of which operate without you explicitly invoking them. Just for starters, in a normal language it's hard enough to operate on untrusted data, but at least you know that nothing bad is going to happen just passing $UNTRUSTED from one function to the next. In bash, because it's based on string substitution you have to enclose that variable in quotes: "$UNTRUSTED" or its contents will start being interpreted.
In short, writing security-critical code in bash,without some obvious constraint forcing this, is a sign of inexperience or not actually caring about it.
I actually doubt that. Irwin was a philanthropist and a scientist, with a decent sense of humor. This is a basically profitless project for public good. I think if the founder has bona-fides, Irwin’s estate would jump at it.
Hmmm we've never approached the Irwin estate, even though all our work is about stingray sting prevention and treatment. We do need to make profit to stay in business, so it's not entirely charity. Maybe we should see how they feel though. I also worry about the optics of advertising so directly on somebody's death. Especially because none of our products would have prevented / helped in his scenario.
Same risk model - it's still going to have access to the recent AWS session, access to the source code. I guess it's also got my KDE settings too, what a score.
I'm not running it on my personal computer or anything with cookies, private keys, or anything like that.
reply