HackerTrans
TopNewTrendsCommentsPastAskShowJobs

dmarto

no profile record

Submissions

Argumentum ad colossum

chrisdone.com
3 points·by dmarto·10 tháng trước·1 comments

Crates.io phishing attempt

fasterthanli.me
156 points·by dmarto·10 tháng trước·78 comments

comments

dmarto
·10 tháng trước·discuss
And now the phishing page is advertising data for sale:

> crates.io db along with juicy tokens for sale. email for buying! (free leak if no offer till sunday >.<)

So far: rickroll → Strong Dog vs Weak Dog meme → future plans → advertisement.
dmarto
·10 tháng trước·discuss
Heh, the phishing page now redirects to a rickroll.
dmarto
·2 năm trước·discuss
Vendoring is nice, and I usually prefer it, but you don't always have the time or people for it.

Vendoring + custom build system (Bazel?) for everything is basically googles approach, if what I have read is correct. Definitely better than everything we have, but the resources for it are not something most can afford.

P.S also what mrcus said, if we trust the upstream build process, we may as well trust their binaries.
dmarto
·2 năm trước·discuss
You have perfectly put into words, all my thoughts.

I have been thinking about ways to secure myself, as it is exhausting to think about it every time there is an update or some new dependency.

After this attack, I think the only sure way is to unplug the computer and go buy goats.

The next best thing? Probably ephemeral VMs or some Codespaces/"Cloud Dev Env thingy". (except neither would save me in the xz case)
dmarto
·2 năm trước·discuss
Kinda relevant, as I saw few comments about how safer languages are the solution.

Here[0] is a very simple example, that shows how easy such supply chain attacks are in Rust; and lets not forget that there was a very large python attack just a few days ago[1].

[0] - https://github.com/c-skills/rust1

[1] - https://checkmarx.com/blog/over-170k-users-affected-by-attac...