Mastodawn

Axios maintainer pwnage is fucking peak incompetence. Critical shit is on the hands of fucking idiots. How the fuck are these guys not having separate computers for different tasks? Seriously... Or a fucking VM for the crap... Tech is available, tech is cheap. Everyone is a fucking moron... Damn...

Show thread

Chris Adams 3d ago

@osxreverser That's not even remotely near peak. Yes, they could have done better but … nobody is buying them a separate computer to use for stuff like this and if it's a side project they're not looking for more friction.

We have this conflict all over the open source world. We could really use a well-trusted organization (CNCF, Apache, Linux, etc.) making a major effort to help maintainers adopt trusted publisher build workflows, for example, but that wouldn't be cheap or fast.

Show thread

fG!3d ago

@acdha Virtual machines are dirty cheap. There is no excuse. People are just incompetent and the whole thing is ridiculous the more you read into it. It can't just be fame and github stars, the increased responsibility demands increased friction, security and better processes. Otherwise it's just stupid risk everyone is taking, assuming the other side is able to behave reasonably secure.

Show thread

Chris Adams 3d ago

@osxreverser I'm aware VMs are cheap, but they're not magic. Stuff like the Trivy attack would've gotten any credentials shared inside the VM so you still need to work on the harder problem of friction. The Axios attack either would have popped the host or, if he tried to use Teams inside the VM, would have gotten all of the exposed credentials there which likely would have included their GitHub / NPM cookies if they thought they were working with a collaborator.

Show thread

fG!

@acdha You get a VM per task. A VM to use zoom/teams/slack for unknown stuff should be mandatory. Segregation is not a new concept. Yes, it increases friction but that's exactly the way it protects against this kind of crap. People can't keep sharing important resources, they need at least some segregation. VMs aren't invincible but they would solve most of these problems and introduce extra attacker friction.