upvote

points

by XYen0n17 hours ago |
comments
upvoteby otterley17 hours ago|
next
[-]
What do you base that on? Threat researchers (and their automated agents) will still keep analyzing new releases as soon as they’re published.
reply
upvoteby mike_hearn13 hours ago|
parent|
next
[-]
Their analysis was triggered by open source projects upgrading en-masse and revealing a new anomalous endpoint, so, it does require some pioneers to take the arrows. They didn't spot the problem entirely via static analysis, although with hindsight they could have done (missing GitHub attestation).
reply
upvoteby narrator13 hours ago|
parent|
[-]
A security company could set up a honeypot machine that installs new releases of everything automatically and have a separate machine scan its network traffic for suspicious outbound connections.
reply
upvoteby mike_hearn7 hours ago|
parent|
[-]
The problem is what counts as suspicious. StepSecurity are quite clear in their post that they decide what counts as anomalous by comparing lots of open source runs against prior data, so they can't figure it out on their own.
reply
upvoteby PunchyHamster9 hours ago|
parent|
prev|
next
[-]
The fact threat researchers and especially their automated agents are not all that good at their jobs
reply
upvoteby zwily8 hours ago|
parent|
[-]
Those threat researchers and their autonomous agents caught this axios release.
reply
upvoteby 8 hours ago|
parent|
[-]
deleted
reply
upvoteby staticassertion11 hours ago|
parent|
prev|
[-]
> What do you base that on?

The entire history of malware lol

reply
upvoteby otterley8 hours ago|
parent|
[-]
Can you elaborate? Why do you believe that motivated threat hunters won’t continue to analyze and find threats in new versions of open source software in the first week after release?
reply
upvoteby staticassertion8 hours ago|
parent|
[-]
Attackers going "low and slow" when they know they're being monitored is just standard practice.

> Why do you believe that motivated threat hunters won’t continue to analyze and find threats in new versions of open source software in the first week after release?

I'm sure they will, but attackers will adapt. And I'm really unconvinced that these delays are really going to help in the real world. Imagine you rely on `popular-dependency` and it gets compromised. You have a cooldown, but I, the attacker, issue "CVE-1234" for `popular-dependency`. If you're at a company you now likely have a compliance obligation to patch that CVE within a strict timeline. I can very, very easily pressure you into this sort of thing.

I'm just unconvinced by the whole idea. It's fine, more time is nice, but it's not a good solution imo.

reply
upvoteby otterley7 hours ago|
parent|
[-]
What, in your view, is a better solution?
reply
upvoteby staticassertion7 hours ago|
parent|
[-]
There are many options. Here's a post just briefly listing a few of the ones that would be handled by package managers and registries, but there are also many things that would be best done in CI pipelines as well.

https://news.ycombinator.com/item?id=47586241

reply
upvoteby cozzyd17 hours ago|
prev|
next
[-]
that's why people are telling others to use 7 days but using 8 days themselves :)
reply
upvoteby MetaWhirledPeas6 hours ago|
parent|
next
[-]
You don't have to be faster than the bear, you just have to be faster than the other guy.
reply
upvoteby wongarsu11 hours ago|
parent|
prev|
next
[-]
brb, switching everything to 9 days
reply
upvoteby johnisgood8 hours ago|
parent|
[-]
That is 3D chess level type shit. xD
reply
upvoteby shreyssh12 hours ago|
prev|
next
[-]
Worth noting this attack was caught because people noticed anomalous network traffic to a new endpoint. The 7-day delay doesn't just give scanners time, it gives the community time to notice weird behavior from early adopters who didn't have the delay set.

It's herd immunity, not personal protection. You benefit from the people who DO install immediately and raise the alarm

reply
upvoteby sersi12 hours ago|
parent|
[-]
But wouldn't the type of people that notifes anomalous network activity be exactly the type of people who add a 7 day delay because they're security conscious?
reply
upvoteby DrewADesign8 hours ago|
parent|
next
[-]
And I’ll bet a chunk of already-compromised vibe coders are feeling really on-top-of-shit because they just put that in their config, locking in that compromised version for a week.
reply
upvoteby shreyssh1 hours ago|
parent|
prev|
[-]
[dead]
reply
upvoteby jmward0117 hours ago|
prev|
next
[-]
I suspect most packages will keep a mix of people at 7 days and those with no limit. That being said, adding jitter by default would be good to these features.
reply
upvoteby Barbing15 hours ago|
parent|
[-]
>adding jitter by default would be good

This became evident, what, perhaps a few years ago? Probably since childhood for some users here but just wondering what the holdup is. Lots of bad press could be avoided, or at least a little.

reply
upvoteby DimmieMan17 hours ago|
prev|
next
[-]
They’re usually picked up by scanners by then.
reply
upvoteby Aurornis17 hours ago|
prev|
next
[-]
Most people won’t.

7 days gives ample time for security scanning, too.

reply
upvoteby 3abiton16 hours ago|
prev|
next
[-]
This highly depends on the detection mechanism.
reply
upvoteby bakugo17 hours ago|
prev|
next
[-]
> If everyone avoids using packages released within the last 7 days

Which will never even come close to happening, unless npm decides to make it the default, which they won't.

reply
upvoteby 131hn11 hours ago|
prev|
[-]
[dead]
reply