TechPulseTechPulse
Back to News
Advertisement
Advertisement

⚡ Community Insights

Discussion Sentiment

67% Positive

Analyzed from 363 words in the discussion.

Trending Topics

#write#malware#install#yourself#update#package#malicious#solution#don#detection

Discussion (5 Comments)Read Original on HackerNews

drdexebtjl39 minutes ago
This sounds like a prime new vector for malware, ironically.
scott_w13 minutes ago
My understanding is probably not: the hooks are configured locally, not by other packages automatically, so you’d install and setup the pre-install hooks yourself to check the packages before install/update.

Can it be exploited? Yes, anything can. But that’s not a reason to not do this if the overall result is better.

TZubiriabout 1 hour ago
>Every package install is checked against the threat feed and it raises an exception if we find something malicious being installed.

So your solution is to reinvent signature based antiviruses, like Norton Antivirus and McAffee?

The problem with these 2000s approaches were that attackers could:

1- Fuzz their payloads so that they are never the same and they don't trigger detection.

2- Offload payload mechanisms so that your monitoring system needs to play cat and mouse. For example, what if the malicious code does wget https://IP/file, will you detect wget commands? Will you scan for whatever looks like a URL? Ok, what if they do "another_package_manager_like_flatpack malicious_package", will your scanner implement all package managers? What if they construct the url? "protocol + "://" + domain + file" surely your global hook thing will notice that is a url and how it is downloaded and inspect those contents as well?

3- The attacker can control the timing and infect every user at the same time, especially if they control the update mechanism of users whose security policy is to keep things patched. Even if the malicious update is not simultaneous, the malicious update can start distribution, and the attack only triggered months later (simultaneously) when enough users have downloaded it (beating latency policies).

The only solution is to do actual work and either write the thing you are trying to offload to the 'open source community, or to actually write it yourself. But of course more work is going to be put into the possibility of a magical easy solution, than on an deteriministic hard solution.

oefrhaabout 1 hour ago
That’s just a wall of text for “malware detection is hard, write everything yourself, don’t use third party”. Thanks for the insight, I guess.
TZubiri1 minute ago
>Malware detection is hard Hell yeah

>Write everything yourself, don't use third party

No, you are exaggerating my point of view so that it's easier to dismiss and so you don't have to evaluate the proposition.

A mix of a Strawman and a false dilemma.

"Write more and use less third party, than you are currently using." would be more accurate.

Consider this, the package manager I use has not been infected in over a decade, the package manager you are suggesting improvements for is currently distributing malware as we speak. Doesn't that end the conversation?

But maybe you ship faster, I guess.