18 by bccdee | 13 comments on Hacker News.
Here's a very plausible threat: Some developer with a left-pad package, some dependency-of-a-dependency, injects malware into their library. A developer (who is broadly trustworthy) updates their package's dependencies without auditing them properly, and the malware ends up in a VSCode plugin that you use. You open VSCode, your system is infected. We know this sort of malware is making its way onto package repositories [1]. We know people are falling for these attacks. How do we protect ourselves against this family of threats? [1]: https://ift.tt/3eIvIio We could trust nothing beyond our base system and our browser, and refuse to use any code we don't fully audit, but this would be an impossibly austere way to live. I expect most of us, when pressed, would admit that we're trusting much more code than we would like to. The alternative is sandboxing, using a lightweight option like firejail (which I use) or a totalizing system like QubesOS. But these systems are awkward to use, and have their own drawbacks. What's the bar for reasonable security, in your opinion? How do you secure your workstation without living like a monk?
0 comments:
Post a Comment