Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
otterley 12 hours ago

What do you base that on? Threat researchers (and their automated agents) will still keep analyzing new releases as soon as they’re published.

mike_hearn 8 hours ago | parent | next [-]

Their analysis was triggered by open source projects upgrading en-masse and revealing a new anomalous endpoint, so, it does require some pioneers to take the arrows. They didn't spot the problem entirely via static analysis, although with hindsight they could have done (missing GitHub attestation).

narrator 7 hours ago | parent [-]

A security company could set up a honeypot machine that installs new releases of everything automatically and have a separate machine scan its network traffic for suspicious outbound connections.

mike_hearn 2 hours ago | parent [-]

The problem is what counts as suspicious. StepSecurity are quite clear in their post that they decide what counts as anomalous by comparing lots of open source runs against prior data, so they can't figure it out on their own.

PunchyHamster 4 hours ago | parent | prev | next [-]

The fact threat researchers and especially their automated agents are not all that good at their jobs

zwily 3 hours ago | parent [-]

Those threat researchers and their autonomous agents caught this axios release.

3 hours ago | parent [-]
[deleted]
staticassertion 6 hours ago | parent | prev [-]

> What do you base that on?

The entire history of malware lol

otterley 3 hours ago | parent [-]

Can you elaborate? Why do you believe that motivated threat hunters won’t continue to analyze and find threats in new versions of open source software in the first week after release?

staticassertion 3 hours ago | parent [-]

Attackers going "low and slow" when they know they're being monitored is just standard practice.

> Why do you believe that motivated threat hunters won’t continue to analyze and find threats in new versions of open source software in the first week after release?

I'm sure they will, but attackers will adapt. And I'm really unconvinced that these delays are really going to help in the real world. Imagine you rely on `popular-dependency` and it gets compromised. You have a cooldown, but I, the attacker, issue "CVE-1234" for `popular-dependency`. If you're at a company you now likely have a compliance obligation to patch that CVE within a strict timeline. I can very, very easily pressure you into this sort of thing.

I'm just unconvinced by the whole idea. It's fine, more time is nice, but it's not a good solution imo.

otterley 2 hours ago | parent [-]

What, in your view, is a better solution?

staticassertion an hour ago | parent [-]

There are many options. Here's a post just briefly listing a few of the ones that would be handled by package managers and registries, but there are also many things that would be best done in CI pipelines as well.

https://news.ycombinator.com/item?id=47586241