← Back to context

Comment by wokwokwok

2 years ago

This argument comes up reasonably regularly.

No, the majority of the world does not download and run binaries from non-reputable sources.

The distinction between reputable and non-reputable varies, but broadly easily spoofable user uploaded content falls into the non-reputable.

Most people download software from trust worthy websites like the official chrome website.

Indeed, the fact that people are continually scammed by this sort of attack is why Apple now refuses to run unsigned binaries by default.

To pretend nothing is wrong here is like pretending JavaScript supply chain attacks don’t exist because you don’t want them to exist.

…and yet. They do exist; wanting it not to be true does not make it so.

Likewise, downloading and running arbitrary binaries from a forum is naive.

You simply want nothing bad to happen.

That does not mean nothing bad will actually happen.

Even if you trust the authors of the posts, how reputable is the forum itself? Are the binary hashes posted? (No, they aren’t).

> I'm new in this forum

^ does not inspire confidence.

5 comments

wokwokwok

Reply
HakanAbbas  2 years ago

Yes, I'm new in hydrogenaud.io. However, I have been active since 2018 in "encode.su".

This year, "3rd Global Data Compression(gdcc.tech)" organized by Huawei and Barcelona Autonoma University was held. In this competition, I have the world 3rd place in the "Professional Task 6 - Ultra Fast" category(JABBAR). And I spent only 2 weeks of the 5-month competition process for this degree.

We can only share and test such a specific work in specific environments.

userbinator  2 years ago

You are simply toeing the line of corporate propaganda, that says people must always submit to centralised authority instead of exercising their own judgement.

That is what is leading us to dystopia.

We are not "pretending", we are simply stating that the magnitude of risk is absolutely tiny.

Insecurity is freedom. Don't let them take away the latter in the name of security.

"There is nothing to fear but fear itself."

  • wokwokwok  2 years ago

    you think the risk is tiny, but:

    A) the risk exists.

    B) you’ve taken no steps to verify that it’s tiny

    C) you’re trusting new users just as much as well established users

    D) your community is not as obscure and tiny as you imagine when it floats to the top of HN.

    It’s not corporate dictatorship to say “there are bad actors out there looking to take advantage of naive users”; it’s reality.

    You can refuse to acknowledge that reality, that’s your choice.

    However, it’s probably irresponsible to encourage other people to do so.