Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
dns_snek 2 days ago

Seriously? This is is extremely low hanging fruit that's not being taken care of. You shouldn't be able to take over a software dependency with a phishing email. Requiring simple PGP code signing or even just passkey authentication would eradicate that entire attack vector.

Future attacks would then require a level access of access that's already synonymous with "game over" for all intents and purposes (e.g. physical access, malware, or inside job). It's not bulletproof but it would be many orders of magnitude better than the current situation.

rs186 2 days ago | parent [-]

As long as you can publish a package in a CI environment (which is essential), none of what you mentioned matters. And that's not even the point.

That phishing email is just one of the ways attackers use to infiltrate, which is not Microsoft's problem to begin with. Next time, the attacker could install malware in your machine that silently runs code and publish a package on your behalf using your own credentials stored locally while you think everything is ok, and you'd still blame Microsoft for not doing enough.

dns_snek 2 days ago | parent | next [-]

> Next time, the attacker could install malware in your machine

I already addressed this in the previous comment but I hope you realize the absurdity of this statement. If the attacker can corner you in a dark alley they can steal your yubikey and beat the PIN out of you, too. By that logic is 2FA futile and should we all stop using it?

Security isn't binary, simply raising the bar from falling for a phishing email to gaining access to someone's machine will probably eliminate 99% of all compromises.

> and you'd still blame Microsoft for not doing enough

Gaining access to someone's machine is definitive "game over" scenario, using that as an excuse not to harden security to the point that that's the only option left is lazy and irresponsible. Even with that kind of access, code signing will slow the viral spread way down which would make a difference.

Once you make it hard to hijack packages, time will be better spent on investing in sandboxing which also protects people from insider threats.

righthand 2 days ago | parent | prev [-]

You should indicate whether or not you work for or somehow are affiliated with Microsoft.