| |
| ▲ | niwtsol 4 days ago | parent | next [-] | | The email says accounts will start locking Sept 10th and it was sent Sept 8th - so a 48 hour urgency window or an account would be locked is urgency IMO | | |
| ▲ | 4 days ago | parent | next [-] | | [deleted] | |
| ▲ | notmyjob 4 days ago | parent | prev [-] | | Fair enough, was just thinking about many low effort scams that have “EMERGENCY!!! ACT NOW!!!” in red boldface. This, by being slightly? less aggressive is actually less likely to trip my “this is phishing” detector. Obviously ymmv. |
| |
| ▲ | naikrovek 4 days ago | parent | prev | next [-] | | > The solution is to not use email. and use what? instant message? few things lack legitimacy more than an instant message asking you to do something. Links in email are much more of a problem than email itself. So tempting to click. It's right there, you don't have to dig through bookmarks, you don't have to remember anything, just click. A link is seductive. the actual solution is to avoid dependencies whenever possible, so that you can review them when they change. You depend on them. You ARE reviewing them, right? Fewer things to depend on is better than more, and NPM is very much an ecosystem where one is encouraged to depend on others as much as possible. | | |
| ▲ | rollcat 3 days ago | parent | next [-] | | > the actual solution is to avoid dependencies whenever possible, so that you can review them when they change. If you're publishing your software: you can't "not" depend on some essential service like source hosting or library index. > You ARE reviewing them, right? Werkzeug is 20kloc and is considered "bare bones" of Python's server-side HTTP. If you're going to write a complex Python web app using raw WSGI, you're just going to repeat their every mistake. While at it: review Python itself, GCC, glibc, maybe Linux, your CPU? Society depends on trust. | |
| ▲ | notmyjob 3 days ago | parent | prev [-] | | Depends what you use it for. I don’t think email is a single thing in that regard. For example I’ve used it as a backup method for important files and also as 2 factor. Those are wholly different things that warrant different solutions. The majority of email volume is not person to person communication but part of some corporation/spammers/scammers business model who at best, like my bank, is using it to shift liability away from themselves onto consumers and at worst is attempting to defraud me of all I own. It’s still useful in business, maybe, but pretty sure teams/slack/… will win eventually. |
| |
| ▲ | lelanthran 4 days ago | parent | prev [-] | | > The problem is email as it’s used currently. The solution is to not use email. No. The problem is unsigned package repositories. The solution is to tie a package to an identity using a certificate. Quickest way I can think off would be requiring packages to be linked to a domain so that the repository can always check incoming changes to packages using the incoming signature against the domain certificate. | | |
| ▲ | benchloftbrunch 3 days ago | parent | next [-] | | As long as you're OK with self signed certificates or PGP keys, I'd be on board with this. I really, really dislike the idea of using TLS certificates as we know them for this purpose, because the certificate authority system is too centralized, hierarchical, and bureaucratic, tightly coupled to the DNS. That system is great for the centralized, hierarchical, bureaucratic enterprises who designed it in the 90s, but would be a pain in the ass for a solo developer, especially with the upcoming change to 45 day lifetimes. | | |
| ▲ | lelanthran 3 days ago | parent [-] | | > As long as you're OK with self signed certificates or PGP keys, I'd be on board with this. I am with PGP but more wary of self-signed certs, though even self-signed certs allow mass revocation of packages when an author's cert is compromised. |
| |
| ▲ | cluckindan 4 days ago | parent | prev | next [-] | | And one pwned domain later, we are back in square one. | | |
| ▲ | lelanthran 3 days ago | parent [-] | | > And one pwned domain later, we are back in square one. 1. It's an extra step: before you pwn the package, you need to pwn a domain. 2. When a domain is pwned, the packages it signs can be revoked with a single command. |
| |
| ▲ | dabockster 4 days ago | parent | prev | next [-] | | That wouldn't work against a really sophisticated attacker. Especially for something that's clearly being maintained for free by one overworked person in their spare time (yet again). You'd need some kind of offline verification method as well for these widely used infrastructure libraries. | | |
| ▲ | lelanthran 3 days ago | parent [-] | | > That wouldn't work against a really sophisticated attacker. Nothing "really works" against a sophisticated hacker :-/ Doesn't mean that "defense in depth" does not apply. > You'd need some kind of offline verification method as well for these widely used infrastructure libraries. I don't understand why this is an issue, or even what it means: uploading a new package to the repository requires the contributor to be online anyway. The new/updated/replacement package will have to be signed. The signature must be verified by the upload script/handler. The verification can be done using the X509 certificate issued for the domain of the contributor. 1. If the contributor cannot afford the few dollars a year for a domain, they are extremely vulnerable to the supply chain attack anyway (by selling the maintenance of the package to a bad actor), and you shouldn't trust them anyway. 2. If the contributor's domain gets compromised you only have to revoke that specific certificate, and all packages signed with that certificate, in the past or in the future, would not be installable. As I have repeatedly said in the past, NPM (and the JS tools development community in general) had no adults in the room during the design phase. Everything about JS stacks feels like it was designed by children who had never programmed in anything else before. It's a total clown show. | | |
| ▲ | benchloftbrunch 3 days ago | parent | next [-] | | > X509 certificate It should be a PGP or SSH key, absolutely not an X509 certificate (unless you allow self signed). Personal identity keys should be fully autonomous and not contingent on the formal recognition of any external authority. | |
| ▲ | idiotsecant 3 days ago | parent | prev [-] | | If only they would have had the benefit of you being around to do all that work with your glorious hindsight. | | |
| ▲ | lelanthran 3 days ago | parent [-] | | > If only they would have had the benefit of you being around to do all that work with your glorious hindsight. They didn't need me; plenty of repositories doing signed packages existed well before npm was created. Which is why I likened them to a bunch of kids - they didn't look around at how the existing repos were designed, they just did the first thing that popped into their head. | | |
| ▲ | idiotsecant 3 days ago | parent [-] | | On the other hand, they did the actual work when nobody else did. It's so easy to take potshots, when you've never done anything consequential enough for the results to matter as much as they do for npm. |
|
|
|
| |
| ▲ | rollcat 3 days ago | parent | prev [-] | | > The solution is to tie a package to an identity using a certificate. Identity on the Internet is a lie. Nobody knows you're a dog. The solution is to make security easy and accessible, so that the user can't be confused into doing the insecure thing. | | |
| ▲ | lelanthran 3 days ago | parent [-] | | > Identity on the Internet is a lie. What do you think HTTPS is? | | |
| ▲ | mdaniel 3 days ago | parent | next [-] | | Transport Layer Security, and has nothing to do with Identity. Take for example the perfectly valid certificate that was issued for npmjs[.]help which unquestionably does not belong to Microsoft/GitHub. Hell, even the certificate for npmjs.com is 'O=Google Trust Services' which doesn't sound like any of the business entities one would expect to own that cert | |
| ▲ | rollcat 2 days ago | parent | prev [-] | | "Whoever was on the cacert list that ships with your browser" has signed "I claim to be Acme Widgets Inc. and I own microsoft.com". |
|
|
|
|
