Just absolutely no regard for security at all.
-
Just absolutely no regard for security at all. None. The entire burden of self-protection shifted to humans alone at their endpoints in systems and communities entirely, foundationally built on mutual trust and trustworthiness.
@mhoye How tf does "npm install openclaw" result in openclaw being given backdoor privileges? As opposed to just some files appearing that only do anything if you execute them.
-
@mhoye
> developers not working in an isolated environment (zone, vm, jail, etc) and letting their devtools access their whole laptop
they deserve it -
-
Just absolutely no regard for security at all. None. The entire burden of self-protection shifted to humans alone at their endpoints in systems and communities entirely, foundationally built on mutual trust and trustworthiness.
@mhoye@cosocial.ca That’s an impressive malware distribution hack.
I would ask if
clinewas compromised but looking up what it is, it was malware from the very start. -
@mischievoustomato @joe @mhoye @sun make a freebsd jail (like a mini copy of the whole OS). put all your dev tools in there. run them from within the jail. if it gets popped, they can't get out to the juicier bits on your real OS
-
@mhoye One more reason to be terrified of the next decade.
-
@mischievoustomato @joe @mhoye @sun make a freebsd jail (like a mini copy of the whole OS). put all your dev tools in there. run them from within the jail. if it gets popped, they can't get out to the juicier bits on your real OS
-
@Gaelan @mhoye I'd disagree it's overestimated - it's been 9 years since my first poc of a supply chain attack with npm and the problem is that is allows all sorts of remote code execution - it's not unique problem to npm, but instead it's the easiest way to ship malware at scale - simply the number of incidents per year with always the same root cause shows this.
-
-
@Gaelan @mhoye what would change is the risk factor that this is out of control of the user (unless you know to use the no scripts flag) - of course any library in JS only needs to import a file for it to execute, and with that a runtime is compromised - but postinstall has the opportunity to blindly install malicious components that can be executed as a demon process when most people aren't paying attention - to me that's important
-
@joe @mhoye @mischievoustomato this isn't just about the LLM, this is about how terrible our software supply chains are these days because people built infrastructure before building trust and now we have this mountain of crap as the foundation of everything we do
-
@mhoye
> developers not working in an isolated environment (zone, vm, jail, etc) and letting their devtools access their whole laptop
they deserve it -
P pelle@veganism.social shared this topic
