| ▲ | bob1029 4 days ago | |
"Batteries included" ecosystems are the ultimate defense against the dark arts. Your F100 first party vendor might get it wrong every now and then, but they have so much more to lose than a random 3rd party asshole who decides to deploy malicious packages. The worst thing I can recall from the enterprisey ecosystems is the log4j exploit, which was easily one of the most attended to security problems I am aware of. Every single beacon was lit for that one. It seems like when an NPM package goes bad, it can take a really long time before someone starts to smell it. | ||
| ▲ | brushfoot 3 days ago | parent | next [-] | |
Agreed; the rich standard library from Microsoft is one of the many things I appreciate about C#. The article's author seems to be under the misapprehension that standard libraries should or have to be community-driven like Node's and that falling for phishing attacks is inevitable over a long enough period of time. Neither notion is accurate. | ||
| ▲ | ameliaquining 4 days ago | parent | prev | next [-] | |
Log4Shell didn't light up all the beacons because Java is "enterprisey", it was because it was probably the worst security vulnerability in history; not only was the package extremely widely used, the vulnerability existed for nearly a decade and was straightforwardly wormable, so basically everybody running Java code anywhere had to make sure to update and check that they hadn't been compromised. Which is just a big project requiring an all-out response, since it's hard to know where you might have something running. By contrast, this set of backdoors only existed for a few hours, and the scope of the vulnerability is well-understood, so most developers can be pretty sure they weren't impacted and will have quite reasonably forgotten about it by next week. It's getting attention because it's a cautionary tale, not because it's causing a substantial amount of real damage. I do think it's worth reducing the number of points of failure in an ecosystem, but relying entirely on a single library that's at risk of stagnating due to eternal backcompat obligations is not the way; see the standard complaints about Python's "dead batteries". The Debian or Stackage model seems like it could be a good one to follow, assuming the existence of funding to do it. | ||
| ▲ | SahAssar 4 days ago | parent | prev | next [-] | |
Heartbleed? Solarwinds? Spectre/Meltdown? Stuxnet? Eternal Blue? CVE-2008-0166 (debian predictable private keys)? | ||
| ▲ | dghlsakjg 4 days ago | parent | prev [-] | |
Solarwinds? | ||