Comment by lapcat
8 days ago
This comment seems a bit confused.
A supply chain attack doesn't directly attack an end developer but rather a supplier of the developer. So who or what is the supplier in this case?
8 days ago
This comment seems a bit confused.
A supply chain attack doesn't directly attack an end developer but rather a supplier of the developer. So who or what is the supplier in this case?
They don't build their own machines or write their compilers or write their own crpyto code or ... so many other things.
> They don't build their own machines or write their compilers or write their own crpyto code or ... so many other things.
An attack on any of these things has nothing specifically to do with the developers of Little Snitch and would have vastly more widespread and important effects.
Why would you even be talking about Little Snitch if a compiler were compromised?!? Your paranoia here is bizarrely narrow. Little Snitch would be the least of our problems in that case.
Their copy of the compiler. Just an example. ¯\_(ツ)_/¯
1 reply →
That seems... not correct?
The comment was asking about preventing a compromised supplier for the developers.
A supply chain attack can be anywhere in the supply chain to the target. If I, the end user, am the target, then a supply chain attack compromising the developer of LittleSnitch is effective.
I may then be a conduit to compromising other software or components, and would both I and LittleSnitch would be part of the supply chain that could be attacked targeting them.
> If I, the end user, am the target
You're not a target, anonymous rando.
Many supply chain attacks aim to run malware on the end-users machine to harvest authentication tokens, etc. So pretty much everyone here who is a developer is the target.
1 reply →
This seems pedantic and I think you know what they’re questioning and why.
> I think you know what they’re questioning and why.
No, not really. And I disagree with the premise, "They must be a target for the various hacking groups out there."
How would you even hack them? I'm a developer too; how would you hack me?
Options range from carefully targeted phishing or social engineering attacks to poor opsec and a five dollar wrench.
13 replies →
?! The same way every other developer that has been hacked. You surely cannot be suggesting you're un-hackable. That seems ludicrously hubristic.
4 replies →
If they trust the devs why would they not trust them to not yolo deploy new versions?
Because it might not be the developers doing the deploying, but a malicious actor?
because a company worthy of trust doesn't yolo their versions. a company that does yolo versions is not trustworthy.