| ▲ | jl6 5 hours ago |
| To our new generation of human shields willing to use software releases less than a month old, we salute your sacrifice. |
|
| ▲ | xandrius 2 hours ago | parent | next [-] |
| Not fair take, cpuz and hwmonitor are often used on new installations of PCs (or at least for me) to verify hw specs and stuff. Or when I need to do some upgrade work for a desktop computer. I just go to the trusted site, download what's there and get going. This is not an npm package that a dev is updating on day 0 of its release for being a "human shield", it's literally the first version which comes up when DLing the new software. |
| |
| ▲ | saltcured 2 hours ago | parent [-] | | Seems like the kind of thing to just have on a bootable thumb drive, to inspect any machine without requiring installation on the fly. In fact, I think I used to use memtest86+ this way as it is a baked in boot option on Fedora bootable ISO images. (Or at least was in the past, I haven't checked this recently.) | | |
| ▲ | avazhi an hour ago | parent [-] | | CPU-Z gets updated to recognise new CPUs and memory configs and thus must be downloaded new to recognise the new hardware in a new machine (otherwise it can’t recognise it properly). With Memtest sure but CPU-Z is something you actually need the latest version of when you first fire up a new PC. | | |
| ▲ | saltcured 33 minutes ago | parent [-] | | OK, so a bootable thumb drive rather than a read-only ISO image? I mean, it should be possible to give it an update function which you can run from any utility host, rather than requiring a live install at the moment you want to test a new machine. That update function could do normal package management and repository things with digital signature checks, etc. And it could be done ahead of time to support sneaker-net scenarios, i.e. where you won't have networking on the new machine that is being burned-in/validated. |
|
|
|
|
| ▲ | mikestorrent 5 hours ago | parent | prev | next [-] |
| Is there a tool out there that you can put software releases into and it will tell you how safe it is? I don't seem to be able to buy anything to do this. Crowdstrike and other modern antivirus may react to it once it's on a device, SAST / SCA tooling will help with CVEs, but there's nothing I can give my users where they can put in some piece of random software and get a reputation metric out the other side, is there? |
| |
| ▲ | vladvasiliu 4 hours ago | parent | next [-] | | > put in some piece of random software and get a reputation metric out the other side Well, the enterprise version of ms defender will not only react to it if it does something "weird", but will specifically look at its "reputation" before it runs at all. However, as another commenter pointed out, this generates a ton of false positives. Basically everything that's "brand new" is liable to trigger it. Think your freshly compiled hellow_world.exe. So, all in all, people may no longer pay attention to it and just click through all warnings. | | |
| ▲ | tranceylc 31 minutes ago | parent [-] | | Worked on a minecraft clone on steam that would falsely get flagged by defender as a “bitcoin miner” for YEARS. |
| |
| ▲ | __natty__ 4 hours ago | parent | prev | next [-] | | Not exactly for software (although there is such section) but I use end of life [0] website. Besides time when certain software will be outdated it also tells you their release time. [0] https://endoflife.date/ | |
| ▲ | Foobar8568 5 hours ago | parent | prev | next [-] | | Beside Virus Total, I am unsure https://www.virustotal.com/ | | | |
| ▲ | seanw444 4 hours ago | parent | prev [-] | | You could put it into an LLM, since that's what we do for everything else nowadays. |
|
|
| ▲ | layer8 3 hours ago | parent | prev | next [-] |
| I’m not one to chase the new and shiny, but how do you know a nominally months-old software package isn’t a newly compromised version at the time you download it? |
| |
| ▲ | ndriscoll 2 hours ago | parent | next [-] | | I don't know about other managers, but nixpkgs has hashes of the package I'm installing, and is a git repo, so I can easily detect a history rewrite, and I have the full history of package changes over time. Since it's a git repo, I can also easily install things as of a given time. | |
| ▲ | herecomesthepre 2 hours ago | parent | prev | next [-] | | Windows has this thing called digital signing with certificates that Linux users like to pretend doesn't exist or in the case of yesterday's Wireguard / VeraCrypt discussion, think it's an evil capitalist scheme to control the world. Digital signing on Windows predates Mac developer certificates by years but arguably wasn't widely used outside of security-paranoid organizations. Before someone says Linux offers GPG signing it's mostly useless without a central PKI. Developers offer the public key for download on the same server as the software. If someone uploaded compromised software, surely they would replace the key with their own. | | |
| ▲ | BenjiWiebe an hour ago | parent | next [-] | | Linux package managers (the normal way to install software) use signed packages. I don't know how easy/hard it would be to compromise that. | |
| ▲ | badsectoracula an hour ago | parent | prev [-] | | > Windows has this thing called digital signing with certificates that Linux users like to pretend doesn't exist ...or, much more likely, any potential benefits are not worth the negatives. |
| |
| ▲ | jeremie_strand 3 hours ago | parent | prev [-] | | [dead] |
|
|
| ▲ | 5 hours ago | parent | prev | next [-] |
| [deleted] |
|
| ▲ | leptons 3 hours ago | parent | prev | next [-] |
| I hope you don't think that waiting a month will protect you. Malicious software can wait to be triggered months or years before anything malicious happens. |
| |
| ▲ | BenjiWiebe an hour ago | parent [-] | | It helps. If I were a malware/backdoor author, I have the choice to make it lie idle for a couple months; this would help me get more victims, BUT it gives more time for someone to notice it BEFORE I get any victims at all. Whereas if it is active immediately, I'm likely to get at least a few victims. |
|
|
| ▲ | sourcegrift 4 hours ago | parent | prev [-] |
| Thanks the web that produced css programmers who have been taught latest is greatest and shiny gets money. |
| |
| ▲ | leptons 3 hours ago | parent [-] | | "new, shiny" has never been a problem with CSS. Either browsers support some CSS attribute or they don't. You're probably thinking about Javascript programmers. |
|
