HackerLangs
TopNewTrendsCommentsPastAskShowJobs

dmarto

no profile record

Submissions

Argumentum ad colossum

chrisdone.com
3 points·by dmarto·10 เดือนที่ผ่านมา·1 comments

Crates.io phishing attempt

fasterthanli.me
156 points·by dmarto·10 เดือนที่ผ่านมา·78 comments

comments

dmarto
·10 เดือนที่ผ่านมา·discuss
And now the phishing page is advertising data for sale:

> crates.io db along with juicy tokens for sale. email for buying! (free leak if no offer till sunday >.<)

So far: rickroll → Strong Dog vs Weak Dog meme → future plans → advertisement.
dmarto
·10 เดือนที่ผ่านมา·discuss
Heh, the phishing page now redirects to a rickroll.
dmarto
·2 ปีที่แล้ว·discuss
Vendoring is nice, and I usually prefer it, but you don't always have the time or people for it.

Vendoring + custom build system (Bazel?) for everything is basically googles approach, if what I have read is correct. Definitely better than everything we have, but the resources for it are not something most can afford.

P.S also what mrcus said, if we trust the upstream build process, we may as well trust their binaries.
dmarto
·2 ปีที่แล้ว·discuss
You have perfectly put into words, all my thoughts.

I have been thinking about ways to secure myself, as it is exhausting to think about it every time there is an update or some new dependency.

After this attack, I think the only sure way is to unplug the computer and go buy goats.

The next best thing? Probably ephemeral VMs or some Codespaces/"Cloud Dev Env thingy". (except neither would save me in the xz case)
dmarto
·2 ปีที่แล้ว·discuss
Kinda relevant, as I saw few comments about how safer languages are the solution.

Here[0] is a very simple example, that shows how easy such supply chain attacks are in Rust; and lets not forget that there was a very large python attack just a few days ago[1].

[0] - https://github.com/c-skills/rust1

[1] - https://checkmarx.com/blog/over-170k-users-affected-by-attac...