| ▲ | asveikau 2 days ago |
| The heuristics powering this, as well as the Windows Defender whitelisting, are terrible. My understanding is that a specific binary needs to become popular for it to stop being flagged. This creates a chicken and egg problem. Users are not incentivized to use the program with the warning. But removing the warning requires many people to ignore the warning. This is a big problem for anyone writing Windows software. An indie developer or small open source project is not going to do well with this. |
|
| ▲ | raxxorraxor a day ago | parent | next [-] |
| This is also what I call bullshit security. These mechanisms are designed to chain developers to infrastructure of the OS provider. Apple does the same shit for that matter. |
| |
| ▲ | jasomill a day ago | parent [-] | | Does Microsoft get kickbacks from code signing certificate vendors? Because AFAIK SmartScreen only applies to software downloaded outside the Microsoft Store. Come to think of it, I suppose it does incentivize distribution through the Store, so you make a good point. |
|
|
| ▲ | csomar 2 days ago | parent | prev | next [-] |
| I found out a similar thing with my website being blocked by corporate firewalls. You need to create profiles at these cyber companies and then wait for whitelisting so that they can drop the ban. |
|
| ▲ | whateverboat 2 days ago | parent | prev | next [-] |
| This is also happening on linux for me. |
| |
| ▲ | kencausey 2 days ago | parent [-] | | Don't make statements like this without more explanation. In what way is this happening to you specifically? What distribution and platform are you using? Did you explicitly install something to warn you about 'side-loading' executables? |
|
|
| ▲ | gruez 2 days ago | parent | prev | next [-] |
| >My understanding is that a specific binary needs to become popular for it to stop being flagged. This creates a chicken and egg problem. Given the recent npm axios compromise this sounds like a pretty smart move? |
| |
| ▲ | dqv 2 days ago | parent | next [-] | | How is it a smart move? Here, Microsoft is training users to ignore a security warning. If the same mechanism were added to NPM (that is, a warning that the package is suspicious and for the user to be extra sure they want it), users would have been trained to ignore any security warning issued for the compromised axios version (just like they had ignored it for all previous "clean" versions) and installed it anyway. | |
| ▲ | kmeisthax 2 days ago | parent | prev [-] | | The relevant heuristic in NPM supply-chain compromises would be the age of the specific binary. i.e. a freshly released package is riskier than one that's been around for a few days. So perhaps the policy should be that NPM doesn't install new package versions unless they've been public for 24 hours, or there's a signed override from the package repository itself stating that the update fixes a security issue. Of course, that would also require the NPM team have a separate review process for signing urgent security fixes. |
|
|
| ▲ | Frotag 2 days ago | parent | prev [-] |
| Conveniently M$ lets you buy a signing certificate to fix this. https://stackoverflow.com/questions/48946680/how-to-avoid-th... |
| |
| ▲ | pimterry 2 days ago | parent | next [-] | | EV no longer skips smartscreen either nowadays. I understand that was abused, so it's treated as the same as OV. Having a certificate allows the cert itself to accumulate trust (rather than each binary independently doing so) and provides better UX and I suspect an initial small boost to trust signal, but doesn't bypass the initial distrust. There's no way to avoid that AFAICT and even if you're an established business you hit it at intervals because all these certificates expire and so the whole process resets every few years anyway. What a mess. | | |
| ▲ | gruez 2 days ago | parent | next [-] | | >There's no way to avoid that AFAICT and even if you're an established business you hit it at intervals because all these certificates expire and so the whole process resets every few years anyway. What a mess. Maybe have overlapping sets of certificates and dual sign your binaries? That way there's always an "aged" certificate available. | |
| ▲ | burnte 2 days ago | parent | prev | next [-] | | > EV no longer skips smartscreen either nowadays. I understand that was abused EV was always going to be abused. It started out promising to be a human verified, $10k cert that meant you were GUARANTEED to be who it said you were. Now I can get one for a couple hundred bucks. The solution is to separate identity from encryption. They never should have been linked. | |
| ▲ | asveikau 2 days ago | parent | prev [-] | | > EV no longer skips smartscreen either nowadays. Not sure of the exact number, but the "nowadays" here is more than a decade. |
| |
| ▲ | asveikau 2 days ago | parent | prev [-] | | Last I checked they can still quarantine your binary if it's properly signed and they decided it hasn't gained traction. |
|
