Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
kevinrineer 4 days ago

Its also really ineffective defense against 0 days!

easterncalculus 3 days ago | parent | next [-]

In the context of a single system, there is no such thing as an "effective defense against 0 days" - that's marketing babble. A zero day by definition is an exploit with no defense. That's literally what that means.

hdjrudni 3 days ago | parent [-]

That doesn't sound right.

> A zero-day exploit is a cyberattack vector that takes advantage of an unknown or unaddressed security flaw in computer software, hardware or firmware. "Zero day" refers to the fact that the software or device vendor has zero days to fix the flaw because malicious actors can already use it to access vulnerable systems.

If I never install the infected software, I'm not vulnerable, even if no one knows of its existence.

That said, you could argue that because it's a zero day and no one caught it, it can lie dormant for >2 weeks so your "just wait awhile" strategy might not work if no one catches it in that period.

But if you're a hacker, sitting on a goldmine of infected computers... do you really want to wait it out to scoop up more victims before activating it? It might be caught.

saberience 3 days ago | parent [-]

Yeah but zero days usually refers to some software which is commonly installed. E.g. a zero day in the version of windows or mac os that most people are using.

No one bothers finding 0-days in software which no one has installed.

blamestross 4 days ago | parent | prev | next [-]

Sadly we don't have any defense against 0 days if an emergency patch is indistinguishable from an attack itself.

Better defense would be to delete or quarantine the compromised versions, fail to build and escalate to a human for zero-day defense.

minitech 3 days ago | parent [-]

> Sadly we don't have any defense against 0 days if an emergency patch is indistinguishable from an attack itself.

Reading the code content of emergency patches should be part of the job. Of course, with better code trust tools (there seem to have been some attempts at that lately, not sure where they’re at), we can delegate that and still do much better than the current state of things.

ozim 3 days ago | parent | prev [-]

IF I put my risk management hat on - 0 days in npm ecosystem are not that much of a problem.

They stop working before can use them.