Email or username:

Password:

Forgot your password?
Dave's posts Post Back to profile
Top-level
Gabriel Pettier

@piecritic @philtor @danderson there are attackers persisting in systems that shouldn't have access to, all the time, sure alerts are raised in a serious system, but that's not necessarily enough. bl.uk/cyber-incident/ for an exemple.

30 March at 22:44 | Wall-to-wall | Open on mas.to
5 comments
Brendan Molloy :ferris:

@danderson @tshirtman @philtor yes i am aware that people exist doing bad things. Buildings also get bombed almost daily in Sweden. It doesn’t mean it is a comparative scenario. This scenario is extremely low level and touches too many things.

30 March at 22:45 | Open on hachyderm.io
Gabriel Pettier

@piecritic @danderson @philtor it looks like you think we are doing good enough and the luck here is not really luck but the system working as intended, although there are many levels where this could have been caught, it does seem like this one could easily have done a lot more harm before being discovered, and hoping we are going to get similarly lucky next time doesn't strike me as a serious plan (well, hope never is, anyway).
There might be others, currently exploitable, that we missed.

30 March at 22:56 | Open on mas.to
Brendan Molloy :ferris: replied to Gabriel

@tshirtman @philtor @danderson there shouldn’t be dependencies that are used so broadly that it can affect the entire world that have one tired maintainer working for free. This is a deeper systemic issue and the system itself is working as intended given that constraint.

30 March at 22:58 | Open on hachyderm.io
Gabriel Pettier replied to Brendan Molloy :ferris:

@piecritic @philtor @danderson that I agree, but many people are depending on this lib, and surely we should be able to encourage them, and make it easier for them, to check that the changes make sense, distributors, applications builders, people adding this lib to their own project, should probably set some time aside for it, or companies themselves should dedicate resources to such audits, but clarity of dependencies, and resources to do the work, are needed.

30 March at 23:07 | Open on mas.to
Brendan Molloy :ferris: replied to Gabriel

@philtor @danderson @tshirtman nah. That’s unrealistic. What is realistic is that projects assess the scope of risk of their dependencies and consider at what depth a dependency affects their systems, then considers the maturity and safety of the team maintaining it. This is what i do as part of my job. This is a social problem exclusively, not an economical one.

30 March at 23:09 | Open on hachyderm.io
Go Up