|
New "dependency confusion" technique, also known as a "substitution attack," allows threat actors to sneak malicious code inside private code repositories by registering internal library names on public package indexes. You mean downloading random blobs of code from random developers might be a bad idea?
|
|
|
|
|
Kent Sharkey wrote: You mean downloading random blobs of code from random developers might be a bad idea?
Joking aside, yes, this is a bad idea.
Yes, I know it's how more and more languages and ecosystems work. It's still a really bad idea.
I'm learning about TypeScript at the moment via the book 'Learn TypeScript 3 by Building Web Applications'. It seems to me like a good introduction to TypeScript. It begins by describing how to set up a dev environment to match the author's one. Installing one or two packages in Node (I forget which ones now) pulls in some unbelievable number of other packages. (If you really want to know I'll get the names and numbers).
This is absurd. I don't care that it's normal now. It's still absurd. It's dangerous, it's not properly maintainable (by which I mean that the coder doesn't really know what his codebase is), it's a mess.
Back in the 90s, componentised code was seen as a future way forward, although the components were expected to be runtime consumer components that users could purchase and plug together. This didn't quite work out but now we've got dev components on a level that no one expected. It just evolved. And it's dangerous.
There has to be a way forward from this. There's a lot of money to be made by someone who finds a way to catalogue and audit it all, moving it from what amounts to random code generation to actual, traceable, properly maintainable code.
|
|
|
|
|
Thank you.
I was 3/4 convinced that people would be telling me I was an idiot for complaining about npm/winget/gem/the-rest. I'm glad to know I'm not the only one that this gives indigestion to.
Especially after the "leftpad debacle[^]", I'd have hoped that people would step back from this process, not lean into it further.
TTFN - Kent
|
|
|
|
|
Yes, I was thinking of the leftpad thing. It's amazing that the issue is not more common. Perhaps it is more common but pure deletions are way less common than insertion of (silent) malicious code. Problem is, we just don't know for sure.
|
|
|
|
|
Kent Sharkey wrote: I was 3/4 convinced that people would be telling me I was an idiot for complaining about npm/winget/gem/the-rest. I'm glad to know I'm not the only one that this gives indigestion to. No you are not alone in this.
Quartz article end: Mike Roberts, from Kik, said in an interview that he regretted not reaching out to Koçulu himself in the first place. ”From my perspective,” he said, “open-source, the community, is about helping each other out.” First step: a lawyer asking
Second step: a lawyer threatening
Third step: a lawyer trying to buy
Fourth Step: a lawyer threatening even harder but to someone else
Fifth Step: Screwing the little private person
everything blows up
A manager of the triggering company says "he regrets not reaching out in the first time" ???
really? C'mon... we are already old enough to now that this is utterly bullsh1t and dictated by the PR to try to give a "not do evil" impression
NPM: “Un-un-publishing is an unprecedented action that we’re taking given the severity and widespread nature of breakage, and isn’t done lightly,”
This action puts the wider interests of the community of npm users at odds with the wishes of one author; we picked the needs of the many.” After putting the interests of a company over the copyright of one author that was there first, that surprisingly doesn't have the resources or the desire to have to fight for it.
They should both get sued for being assh... and npm should be forced to recompile everything repairing the mess without overrunning the author's right to do what he wants with his code / package.
M.D.V.
If something has a solution... Why do we have to worry about?. If it has no solution... For what reason do we have to worry about?
Help me to understand what I'm saying, and I'll explain it better to you
Rating helpful answers is nice, but saying thanks can be even nicer.
|
|
|
|
|
Of course, the real problem here is that you can be bitten by this even if you have no intention of downloading random blobs of code from random developers. You could just be trying to consume packages from your responsibly-curated private Azure Artifacts repo (for example), and this attack can surreptitiously insert random code because the package manager (for some stupid reason) prioritizes random public packages from an upstream source over your internal ones unless you take ridiculous measures to prevent it.
|
|
|
|
|
LaserFactory cuts out a shape, then adds circuitry and components. Now just hook it up to SkyNet and we can relax...
|
|
|
|
|
Don't be so paranoiac... they are not armed...
yet.
M.D.V.
If something has a solution... Why do we have to worry about?. If it has no solution... For what reason do we have to worry about?
Help me to understand what I'm saying, and I'll explain it better to you
Rating helpful answers is nice, but saying thanks can be even nicer.
|
|
|
|
|
The C#/WinRT team is excited to announce our latest release, which includes a preview of C#/WinRT authoring with the latest C#/WinRT NuGet package, as well as updates to the .NET 5.0 SDK with the .NET February update. For those few C# developers targeting Windows
|
|
|
|
|
Favicons can break through incognito mode, VPNs, and Pi-holes to track your movement online Is it a tart? A flan? No, it's SUPERcookie!
|
|
|
|
|
Quote: The tracking method is called a Supercookie, and it’s the work of German software designer XXX YYY. Really? I suppose this guy is trying to get recruited by G00gle or Farcebo0k...
or maybe he is tired of living...
Because I suppose that some people would even like to have him face to face, specially those depending on some of those technologies to remain as much private as one could be (until now )
M.D.V.
If something has a solution... Why do we have to worry about?. If it has no solution... For what reason do we have to worry about?
Help me to understand what I'm saying, and I'll explain it better to you
Rating helpful answers is nice, but saying thanks can be even nicer.
|
|
|
|
|
This post will discuss the unique combination of features that Scala provides and how it compares to other languages on the market, diving beneath the superficial experience to explore the fundamentals of the language. Because one leg is both the same?
|
|
|
|
|
A recent survey commissioned by IBM and conducted by O’Reilly highlights the need for open source skills in the competitive field of hybrid cloud development. Yup - that's source code. A+ for me!
|
|
|
|
|
field of hybrid cloud development.
What's that? A mix of stratus, cirrus, cumulus, altostratus, stratocumulus, altocumulus, cirrocumulus, nimbostratus, ...and the list goes on... cloud types?
Seriously, I have no idea what "hybrid cloud development" means.
|
|
|
|
|
Building something that looks like a commercial cloud setup but hosting it in your own data center. Optionally with the ability to also deploy to commercial cloud servers (either for lower security/latency sensitive applications if external cloud is cheaper, or capacity management if the internal servers get maxed out).
Did you ever see history portrayed as an old man with a wise brow and pulseless heart, weighing all things in the balance of reason?
Is not rather the genius of history like an eternal, imploring maiden, full of fire, with a burning heart and flaming soul, humanly warm and humanly beautiful?
--Zachris Topelius
Training a telescope on one’s own belly button will only reveal lint. You like that? You go right on staring at it. I prefer looking at galaxies.
-- Sarah Hoyt
|
|
|
|
|
Microsoft has urged customers today to install security updates for three Windows TCP/IP vulnerabilities rated as critical and high severity as soon as possible. As opposed to all the others?
|
|
|
|
|
Windows 7 need the patch too... Options:
1) The bug has "only" been there for 12 years
2) The bug was there for more, but they don't even try to fix it in previous systems (I know, I know, but the real usage is still out there)
Either way I can't avoid to be bit skeptical... only because they were "just published" doesn't mean that they were "just discovered".
M.D.V.
If something has a solution... Why do we have to worry about?. If it has no solution... For what reason do we have to worry about?
Help me to understand what I'm saying, and I'll explain it better to you
Rating helpful answers is nice, but saying thanks can be even nicer.
|
|
|
|
|
Vista and prior are beyond the 3 year pay for patches because your IT is too cluster ed to upgrade on time window. Only the most apocalyptic vulnerabilities get patched outside of that (or have public patches released in the pay for patch window). IIRC the last time that happened was when someone pwned a big collection of NSA hacking tools.
As a paid only W7 patch this doesn't qualify. Probably at least in part because it's a bug in something that is default disabled.
Did you ever see history portrayed as an old man with a wise brow and pulseless heart, weighing all things in the balance of reason?
Is not rather the genius of history like an eternal, imploring maiden, full of fire, with a burning heart and flaming soul, humanly warm and humanly beautiful?
--Zachris Topelius
Training a telescope on one’s own belly button will only reveal lint. You like that? You go right on staring at it. I prefer looking at galaxies.
-- Sarah Hoyt
|
|
|
|
|
Google steps up its game on open-source security. That should make the hackers' jobs easier
|
|
|
|
|
Can't they borrow this to Microsoft?
M.D.V.
If something has a solution... Why do we have to worry about?. If it has no solution... For what reason do we have to worry about?
Help me to understand what I'm saying, and I'll explain it better to you
Rating helpful answers is nice, but saying thanks can be even nicer.
|
|
|
|
|
Bing now fixes bad spelling in searches across 100 languages. Sew ewe khan git write stuff
Sorry, ran out of misspellings there (worked myself into a corner)
|
|
|
|
|
|
The intrusion was detected right away and the hacker's modifications have been reversed right away. Why it's safer to stick with gin
Crazy talk idea here, but why is the system that can control the sodium hydroxide available via the internet?
Oh, sorry, it may not be connected to the internet, just available remotely. Much better idea, I'm sure.
"The intrusion took place on Friday, February 5, when the hacker accessed a computer system that was set up to allow for the remote control of water treatment operations."
|
|
|
|
|
Kent Sharkey wrote: Crazy talk idea here, but why is the system that can control the sodium hydroxide available via the internet?
Oh, sorry, it may not be connected to the internet, just available remotely. Much better idea, I'm sure. hear hear...
or Smart storm counters...
or other stuff (sadly there is more than enough examples)...
I just wonder when things like in Blackout (Elsberg novel) - Wikipedia[^] or in Live Free or Die Hard (2007) - IMDb[^] are going to blow up under our nose, just because some idiots "IT Decission makers" (to quote the item below) just screwed it (in addition to not giving enough money to properly develop things)
M.D.V.
If something has a solution... Why do we have to worry about?. If it has no solution... For what reason do we have to worry about?
Help me to understand what I'm saying, and I'll explain it better to you
Rating helpful answers is nice, but saying thanks can be even nicer.
|
|
|
|
|
If only they had watched and followed Admiral Adama's philosophy from Battlestar Galactica
"I will not allow, a network computerised system to be placed on this ship while I am in command!"
“That which can be asserted without evidence, can be dismissed without evidence.”
― Christopher Hitchens
|
|
|
|