On Thu, 2024-09-05 at 13:11 -0400, Jeffrey Walton wrote: > This made my radar today: > <https://jfrog.com/blog/revival-hijack-pypi-hijack-technique-exploited-22k-packages-at-risk/>. > It's like Peter Gutmann said: "A great many of today’s security > technologies are “secure” only because no-one has ever bothered > attacking them." Few people seems to have any idea, or appropriate concern, about security. Including the people that ought to... If you operate a website (talking about python hijacks, and the like), using unknown code from some external source, without you having any communication with the coder, you're mad. You don't know about it's current safety, the coders intentions, nor it's future prospects. And if you blindly apply updates, you're even more nuts. Especially with expensive professional sites (i.e. not a fill in the template vanity site). If you're going to pay the exorbitant expenses demanded by website creators, then hire ones who'll actually code the thing from scratch, and not just cobble things together from other people's scripts like some amateur bedroom coder. It's only thanks to much faster modern computers, that such festering pools of over-scripted sites still manage to operate, rather than grind to a halt like they used to. Yet day after day, we see sites in which just one page (never mind the whole site) is a conglomeration of dozens of scripts, content dragged in from dozens of sites, advertising that isn't under your control, cookies everywhere. There's no way the site managers can be aware of how they will all interact with each other. The idea of some library, etc., suddenly getting replaced at some time in the future because the coder deleted it, and someone else inserted a new one using the same name is a complete absence of security. Relying on the package name, alone, is crazy. There should also be some kind of crypto key that identifies a project from the start, that every update must be signed with, preventing a simple substitution. Security failures like this exist in many other things: You give up a telephone service, someone acquires your old number, people use your old phone number to exploit you. Likewise with email addresses. I've kept old email addresses just to stop someone else misusing them. I gave up on an old website, kept the domain name for a while, left the site showing a site closed down notice, with a redirection to the new one. I eventually decided it was a waste of my money. The moment the domain expired, someone grabbed it, and filled it with junk that scrapes content from elsewhere hoping to get people reading it, hoping that it'll get former traffic to my site. Years later, it's still like that. I have a look from time to time. It contains nonsense, it's not any kind of service, it's just a domain squatting parasite. It's a shame that domain names became so expensive, it may have been worth a few dollars just to maintain ownership of the domain name, but there's a threshold to how much money you're prepared to waste. And you can also run afoul of rules about not hoarding domain names. -- uname -rsvp Linux 3.10.0-1160.119.1.el7.x86_64 #1 SMP Tue Jun 4 14:43:51 UTC 2024 x86_64 Boilerplate: All unexpected mail to my mailbox is automatically deleted. I will only get to see the messages that are posted to the mailing list. -- _______________________________________________ users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
