Comment by yupyupyups

Comment by yupyupyups 6 days ago

18 replies

View on Hacker News

Something helpful here would be to enable developers to optionally identify themselves. Not Discord-style where only the platform knows their real identity, but publically as well.

gruez 6 days ago

So, EV code signing certificates? Windows has that, and it'll verify that right in the OS. Git for instance, shows as being signed by

CN = Johannes Schindelin O = Johannes Schindelin S = Nordrhein-Westfalen C = DE

Downside is the cost. Certificates cost hundreds of dollars per year. There's probably some room to reduce cost, but not by much. You also run into issues of paying some homeless person $50 to use their identity for cyber crimes.

Reply View 8 replies
  • mc32 5 days ago

    How would the homeless chap have the creds or gravitas for people to trust him or her?

    Reply View 1 reply
    • veeti 5 days ago

      I don't really know who Johannes Schindelin is either but use git quite happily.

      Reply View 0 replies
  • brabel 5 days ago

    You don’t need certificates , just use PGP keys like Maven.

    Reply View 5 replies
    • gruez 5 days ago

      PGP keys don't tell you anything about a developers "real identity". Theoretically theres some "web of trust", but realistically everyone just blindly downloads whatever PGP key is listed on the repo's install instructions.

      Reply View 4 replies
      • brabel 5 days ago

        Bullshit. The public key can be obtained by several easy means, like visiting the publisher website or social network site like GitHub which is common. That verifies the identity just as well as any certificate! But with much less trouble.

        Reply View 3 replies
morkalork 6 days ago

You don't think bad actors don't have access to entire countries worth of stolen identities to use for supply chain attacks?

Reply View 6 replies
  • hirsin 6 days ago

    This was largely the reason I rejected "real name verification" ideas at GitHub after the xz attack. (Especially if they are state sponsored) it's not that hard for a dedicated actor (which xz certainly was) to get a quality stolen identity.

    The inevitable evolution of such a feature is a button on your repo saying" block all contributors from China, Russia, and N other countries". I personally think that's the antithesis of OSS and therefore couldn't find the value in such a thing.

    Reply View 5 replies
    • morkalork 6 days ago

      That would be easily defeated by a VPN. The inevitable evolution would be some kind of in-person attestation of identity backed up with some kind of insurance on the contributor's work, and, well you're converging on the employer-employee relationship then.

      Reply View 4 replies
      • hirsin 5 days ago

        Yep, I saw the cat and mouse ending at ever increasingly invasive verifications involving more parties, that could ultimately still be worked around by a state actor. We already get asked for "block access from these country ip ranges please" as a security measure despite it being trivially bypassed, so it is easy to predict a useless but strong demand for blocking users based on their verified country.

        Reply View 1 reply
        • ozgrakkurt 4 days ago

          This feels so true, all this surveillence/controlling seems like it will be a non issue for the dedicated hacker or criminal eventually and just a lost right for the regular person

          Reply View 0 replies
      • berdario 5 days ago

        "defeated", yes

        "easily", not so much...

        As in, services can still detect if you're connecting through a VPN, and if you ever connect directly (because you forgot to enable the VPN), your real location might be detected. And the consequences there might not be "having to refresh the page with the VPN enabled", but instead: "find the whole organisation/project blocked, because of the connection of one contributor"

        This is why Comaps is using codeberg, after its predecessor (before the fork) project got locked by GitHub

        https://news.ycombinator.com/item?id=43525395

        https://mastodon.social/@organicmaps/114155428924741370

        Moreover, this kind of stuff is also the reason I stopped accessing Imgur:

        - if I try without VPN, imgur stops me, because of the UK's Online Safety Act

        - if I try with my personal VPN, I get a 403 error every single time

        I'm sure I could get around it by using a different service (e.g. Mullvad), but imgur is just not important enough for me to bother, so I just stopped accessing it altogether

        Reply View 0 replies
dcrazy 6 days ago

This is what macOS codesigning does. Notarization goes one step further and anchors the signature to an Apple-owned CA to attest that Apple has tied the signature to an Apple developer account.

Reply View 1 reply
  • laserbeam 5 days ago

    As I understand it, this attack works because the worm looks for improperly stored secrets/keys/credentials. Once it find them it publishes malicious versions of those packages. It hits NPM because it’s an easy target… but I could easily imagine it hitting pip or the repo of some other popular language.

    In principle, what’s stopping the technique from targeting macos CI runners which improperly store keys used for Notorization signing? Or… is it impossible to automate a publishing step for macos? Does that always require a human to do a manual thing from their account to get a project published?

    Reply View 0 replies