Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
TZubiri 4 hours ago

the underlying root cause of most supply chain attacks in this era seems to be expecting something of value in exchange of nothing.

Under such expectations some will volunteer to give value, but many more will volunteer to give something that looks like what you ask, but which extracts value instead.

I relate it to a recent poker strategy development which came from game theory, it turns out that you can play in an unexploitable manner, but it will usually result in ties, and lost time and money to rake, and theoretically any attempt to exploit another player, leaves you exploitable to another player. The classical example is rock paper scissors, unexploitable strategy is to play randomly with p=1/3 for each choice, however if one really wishes to win more often than their opponent, they have to guess, and if in that guessing they choose an option with 100% certainty, they become exploitable to someone choosing another option with 100% certainty.

In effect the very act of attempting to extract value from free software, is the very act that leaves one vulnerable to being extracted value from.

asdfasgasdgasdg 4 hours ago | parent [-]

"the underlying root cause of most supply chain attacks in this era seems to be expecting something of value in exchange of nothing."

I do not think that someone's status as a contributor to open source mediates their safety from supply chain attacks. Big companies that donate gobs of money get hit, and so do small operators who have contributed nothing are just trying out a hobby project.

TZubiri an hour ago | parent [-]

No I don't think so either, nor do I think that my rule is a hard rule, it's more of a correlation:

If you pay for software, your supply chain risk is reduced, if you don't pay for software, your risk is increased.

asdfasgasdgasdg an hour ago | parent [-]

Okay, so we agree that everyone who uses open source is at risk, regardless if of they're a contributor.

But maybe we disagree about this other thing. I'm not certain that closed source/paid software is less of a risk either. There have been high profile incidents lately that suggest this is not a sufficient defense.

Personally I just think you're barking up the wrong tree with this pay/contribute=>reduced risk link. I don't think there's anything there. I will grant that you are at slightly less risk from software you know well and contribute to directly, but that's only of any help for very low level stuff that doesn't have many dependencies.