upvote

points

by otterley17 hours ago |
comments
upvoteby mike_hearn13 hours ago|
next
[-]
Their analysis was triggered by open source projects upgrading en-masse and revealing a new anomalous endpoint, so, it does require some pioneers to take the arrows. They didn't spot the problem entirely via static analysis, although with hindsight they could have done (missing GitHub attestation).
reply
upvoteby narrator13 hours ago|
parent|
[-]
A security company could set up a honeypot machine that installs new releases of everything automatically and have a separate machine scan its network traffic for suspicious outbound connections.
reply
upvoteby mike_hearn7 hours ago|
parent|
[-]
The problem is what counts as suspicious. StepSecurity are quite clear in their post that they decide what counts as anomalous by comparing lots of open source runs against prior data, so they can't figure it out on their own.
reply
upvoteby PunchyHamster9 hours ago|
prev|
next
[-]
The fact threat researchers and especially their automated agents are not all that good at their jobs
reply
upvoteby zwily8 hours ago|
parent|
[-]
Those threat researchers and their autonomous agents caught this axios release.
reply
upvoteby 8 hours ago|
parent|
[-]
deleted
reply
upvoteby staticassertion11 hours ago|
prev|
[-]
> What do you base that on?

The entire history of malware lol

reply
upvoteby otterley8 hours ago|
parent|
[-]
Can you elaborate? Why do you believe that motivated threat hunters won’t continue to analyze and find threats in new versions of open source software in the first week after release?
reply
upvoteby staticassertion8 hours ago|
parent|
[-]
Attackers going "low and slow" when they know they're being monitored is just standard practice.

> Why do you believe that motivated threat hunters won’t continue to analyze and find threats in new versions of open source software in the first week after release?

I'm sure they will, but attackers will adapt. And I'm really unconvinced that these delays are really going to help in the real world. Imagine you rely on `popular-dependency` and it gets compromised. You have a cooldown, but I, the attacker, issue "CVE-1234" for `popular-dependency`. If you're at a company you now likely have a compliance obligation to patch that CVE within a strict timeline. I can very, very easily pressure you into this sort of thing.

I'm just unconvinced by the whole idea. It's fine, more time is nice, but it's not a good solution imo.

reply
upvoteby otterley7 hours ago|
parent|
[-]
What, in your view, is a better solution?
reply
upvoteby staticassertion7 hours ago|
parent|
[-]
There are many options. Here's a post just briefly listing a few of the ones that would be handled by package managers and registries, but there are also many things that would be best done in CI pipelines as well.

https://news.ycombinator.com/item?id=47586241

reply