HackerTrans
TopNewTrendsCommentsPastAskShowJobs

untitaker_

no profile record

comments

untitaker_
·10 months ago·discuss
like I said, if you assume your adversary is the US government then they might as well start issuing rogue TLS certs to target individuals.
untitaker_
·10 months ago·discuss
I don't think there are many options to host sourcecode and binaries in a way that is safe against an adversary like the US, and especially in such a way that technically illiterate users are protected. Because you'd have to assume that CAs are not off-limits either then.
untitaker_
·10 months ago·discuss
I think GP is talking about a scenario where Microsoft would serve either malicious source tree or binaries to just one user, not all of them. that would be fairly hard to detect. but in such scenarios we'd also have to start asking questions about the state of the entire CA ecosystem.
untitaker_
·10 months ago·discuss
i can guarantee you npm will externalize the cost of false-positive malware scans to package authors.