undefined | Better HN

0 pointsGekkePrutser4y ago0 comments

> Auto updates are a big security risk themselves, it is a matter of time before someone manages to hijack a major distribution point like that (Windows, Chrome, Firefox?). Once that happens we will probably review this.

And as some lower-hanging fruit: The repos of common programming languages and things like Docker Hub.

Python PIP, NodeJS NPM, Ruby Gems, we pull in a lot of stuff from people we don't even know. Every python project installs a gazillion of stuff from its requirements.txt. At least the OS updates come from a party we at least chose to do business with.

And it's not like this is not yet happening already. But I think it'll take a major Wannacry event before we'll stop doing this because it's just so damn handy.

But if you think of it, imagine you're coding and some random 'willywonka2586' on a public slack group says "Hey I wrote a handy library for that, here, go and install it and use it in a project for your customers!". This is kinda what we're doing.

0 comments

3 comments · 2 top-level

actually_a_dog4y ago· 1 in thread

This actually happened at a company I worked for. One of the Python dependencies of some service or another had a bit of code that phoned home. It was hard to detect, because it actually did the thing it advertised it was supposed to do, just that it added the phone home part. It was only detected because the way routing works inside AWS didn't allow it to phone home, and that generated a lot of network timeouts. IIRC, it took more than 90 days before the malicious library was found out and removed.

carlmr4y ago

>It was hard to detect, because it actually did the thing it advertised it was supposed to do, just that it added the phone home part.

Was it a Microsoft dependency?

jacquesm4y ago

NPM should be top of the suspects list there.

j / k navigate · click thread line to collapse