| ▲ | hsbauauvhabzb 4 days ago |
| [flagged] |
|
| ▲ | josephg 4 days ago | parent | next [-] |
| Apparently it found this attack more or less immediately. It seems strange to attack a service like this right after it actively helped keep people safe from malware. I'm sure its not perfect, but it sounds like they deserve to take a victory lap. |
| |
| ▲ | hsbauauvhabzb 3 days ago | parent [-] | | I don’t think celebrating a company who has a distinct interest in prolonging a problem while they profit off it is a good thing, no. | | |
| ▲ | josephg 3 days ago | parent [-] | | They're profiting off helping to solve the problem through early warning and detection. And by keeping their customers safe from stuff like this. Seems good to me. I want more attention and more tooling around this problem. You seem mad at them for helping solve a real problem? |
|
|
|
| ▲ | fn-mote 4 days ago | parent | prev | next [-] |
| You could at least offer some kind of substantive criticism of the tool (“socket”). |
| |
| ▲ | hsbauauvhabzb 4 days ago | parent [-] | | Do I need any? Automated tools cannot prevent malicious code being injected. While they can make attempts to evaluate common heuristics and will catch low hanging malware, they are not fool proof against highly targeted attacks. Either way, the parent post is clearly ambulance chasing rather than having a productive conversation, which should really be about whether or not automatically downloading and executing huge hierarchal trees of code is absolutely fucking crazy, rather than a blatant attempt to make money off an ongoing problem without actually solving anything. | | |
| ▲ | 33a 4 days ago | parent | next [-] | | When we find malware on any registry (npm, rubygems, pypi or otherwise), we immediately report it to the upstream registry and try to get it taken down. This helps reduce the blast radius from incidents like this and mitigates the damage done to the entire ecosystem. You can call it ambulance chasing, but I think this is a good thing for the whole software ecosystem if people aren't accidentally bundling cryptostealers in their web apps. And regarding not copying massive trees of untrusted dependencies: I am actually all for this! It's better to have fewer dependencies, but this is also not how software works today. Given the imperfect world we have, I think it's better to at least try to do something to detect and block malware than just complain about npm. | | |
| ▲ | hsbauauvhabzb 4 days ago | parent [-] | | So instead you prolong the problem while making money? Nice! | | |
| ▲ | jondwillis 3 days ago | parent [-] | | I’m all for thinking about second, or third, or fourth order effects of behavior, but unless you have proof that Socket is doing something like lobbying that developers keep using NPM against their own best interests, frankly, I don’t know what your point here is. |
|
| |
| ▲ | josephg 4 days ago | parent | prev | next [-] | | > Do I need any? Automated tools cannot prevent malicious code being injected. While they can make attempts to evaluate common heuristics and will catch low hanging malware, they are not fool proof against highly targeted attacks. So just because a lock isn't 100% effective at keeping out criminals we shouldn't lock our doors? | | |
| ▲ | hsbauauvhabzb 3 days ago | parent [-] | | Im not sure how that relates to the company ambulance chasing on what should be a public service announcement without a shade of advertising. That’s like lock companies parading around when their neighbour is murdered during a burglary but they weren’t because they bought a Foobar(tm) lock. |
| |
| ▲ | LocalH 3 days ago | parent | prev [-] | | The more tools that exist to help find vulnerabilities, the better, as long as they're not used in a fully automated fashion. Human vetting is vital, but using tools to alert humans to such issues is a boon. |
|
|
|
| ▲ | hsbauauvhabzb 4 days ago | parent | prev [-] |
| For those interested, points associated with this post spiked to at least 4 then dropped back to one. Take of that what you will. |
