Maybe you shouldn't install new software for a bit

Posted by psxuaw 15 hours ago

Maybe you shouldn't install new software for a bit(xeiaso.net)

635 points | 351 commentspage 4

tjansen 7 hours ago|

I wonder whether there is any tool that can prevent npm from downloading any package that has been published in the last month. While I miss out on possible fixes, this would prevent downloading some 3rd level dep that takes over my machine.

backwardsponcho 6 hours ago||

NPM seems to have introduced the flag `minimumReleaseAge` for this exact purpose. However even though are many recent references to it[0][1][2] I don't see it anywhere in the NPM documentation.

[0] https://news.ycombinator.com/item?id=47513932

[1] https://github.com/npm/cli/issues/8570

[2] https://socket.dev/blog/npm-introduces-minimumreleaseage-and...

lmiller1990 7 hours ago|||

pnpm has this, I think others may also have something similar.

https://pnpm.io/settings#minimumreleaseage

janekies 7 hours ago||

pnpm has added a new setting, minimumReleaseAge, enabled by default, just to try to mitigate these issues.

vga1 6 hours ago||

Maybe you should install new kernels at least though.

eskibars 7 hours ago||

"If it ain't broke, don't fix it" is its own area of risk that people often ignore

creesch 7 hours ago|

Except that a lot of software likely is already broken in fun ways we currently don't know about. That is what makes it such a "fun" challenge. Supply chain attacks are one thing, but CVEs in already released software allowing other attackers are another.

As always, I know most of us work in IT, but things rarely are actually binary.

pjmlp 9 hours ago||

Remember the whole discussion when UNIX was supposed to not need anti-virus and talking down PCs?

Behaviours matter more than OS security primitives.

jeroenhd 8 hours ago|

The whole (mistaken) belief that Linux and macOS didn't require AV was based on the execute bit being present, something Microsoft fixed back in XP by making downloaded files as such and preventing them from being opened trivially.

If you have code execution, you can attack the OS.

pjmlp 7 hours ago||

Indeed, when one installs dependencies all over the Internet, or even better, key projects use "curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh" as default suggestion on how to install them, attackers have the work done for them.

1718627440 5 hours ago||

> key projects use "curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh" as default suggestion

This is exactly why some (including me) don't take these projects seriously. Like you claim to design a language for security, and this is how you tell me to install it????

pocksuppet 1 hour ago|||

Downloading some code from the internet and running it is a very normal way to install software.

curl|sh has the truncated shell script concern. It's possible to mitigate this concern. Did they? If so, it's no different from downloading and running any other installer.

TeamDman 1 hour ago|||

What alternative do you propose for downloading binaries off the internet, placing them in the "right spot" and doing post-install operations like updating PATH that dont have gotchas equivalent to running "untrusted" code like curl|sh?

ptrl600 4 hours ago||

What if it's a really good bit?

bsenftner 3 hours ago||

This is why I avoid the entire JavaScript shitshow that is NPM and all that ecosystems nonsense. The population of users do not have the secondary considerations to be trusted, there will always be someone that does the worse and talks too many into following them. Then the "best practices" produce failures. What a shit show.

bitfilped 4 hours ago||

Am I missing part of the article? This seems like 2 sentences saying "don't install anything cause some Linux LPEs came out." I don't understand why this is on the frontpage of HN.

chubs 9 hours ago||

To mitigate supply chain attacks like this, I've taken to specifying exact versions in my Rust cargo.toml, and when importing new crates, select the previous-to-latest version. Is this a reasonable mitigation? It bugs me that Swift deprecates the concept of specifying exact versions, it actively pushes you towards semver which leaves the door open to this.

kam 1 hour ago||

Cargo will still pick the latest for transitive dependencies that aren't explicitly specified in your Cargo.toml. This is what Cargo.lock is for.

mattstir 1 hour ago||

> select the previous-to-latest version

For supply chain attacks that simply bide their time, or for dependencies which involve interacting with other subsystems, it's possible you miss a critical security update by doing this. Of course, the maintainers of the crates should yank known bad releases, but that's putting trust in a third-party that may have already been compromised.

xbar 10 hours ago||

It seems like this round of vulns is going to be significant. What is the right response?

Gigachad 9 hours ago|

Personally I'm choosing to keep my home server behind a VPN and to enable Lockdown Mode on my phone and laptop for a while until the dust settles. As well as just limiting the software installed to trusted projects only.

VM isolation would still be safe even with these kernel exploits.

tdeck 9 hours ago|

> Copy Fail 2: Electric Boogaloo

What are people thinking with these meme style vulnerability names? It's going to be hard to pitch "we need to push back the timeline on this new infrastructure deploy while we mitigate Copy Fail 2: Electric Boogaloo".

dgellow 9 hours ago|

"we need to push back the timeline on this new infrastructure deploy while we mitigate Copy Fail 2". Problem solved

More comments...