@philtor @danderson I’m doubtful of that. At this scale someone will notice that weird network request.
Top-level
@philtor @danderson I’m doubtful of that. At this scale someone will notice that weird network request. 8 comments
@philtor @danderson then anomaly detection software will absolutely pick that up even without modern techniques. @piecritic @philtor @danderson there are attackers persisting in systems that shouldn't have access to, all the time, sure alerts are raised in a serious system, but that's not necessarily enough. https://www.bl.uk/cyber-incident/ for an exemple. @danderson @tshirtman @philtor yes i am aware that people exist doing bad things. Buildings also get bombed almost daily in Sweden. It doesn’t mean it is a comparative scenario. This scenario is extremely low level and touches too many things. @piecritic @danderson @philtor it looks like you think we are doing good enough and the luck here is not really luck but the system working as intended, although there are many levels where this could have been caught, it does seem like this one could easily have done a lot more harm before being discovered, and hoping we are going to get similarly lucky next time doesn't strike me as a serious plan (well, hope never is, anyway). @tshirtman @philtor @danderson there shouldn’t be dependencies that are used so broadly that it can affect the entire world that have one tired maintainer working for free. This is a deeper systemic issue and the system itself is working as intended given that constraint. @piecritic @philtor @danderson that I agree, but many people are depending on this lib, and surely we should be able to encourage them, and make it easier for them, to check that the changes make sense, distributors, applications builders, people adding this lib to their own project, should probably set some time aside for it, or companies themselves should dedicate resources to such audits, but clarity of dependencies, and resources to do the work, are needed. @philtor @danderson @tshirtman nah. That’s unrealistic. What is realistic is that projects assess the scope of risk of their dependencies and consider at what depth a dependency affects their systems, then considers the maturity and safety of the team maintaining it. This is what i do as part of my job. This is a social problem exclusively, not an economical one. |
@piecritic @danderson what if the network request is made very infrequently on some sort of random schedule?