The buyout for open source projects seems like a way underrated vector…

You’re assuming it’s not. It can only be reported if it’s identified

It''s because there were lower hanging fruit, but now that things are getting slightly more complicated and because the money involved has increased so much for malware, etc.

The webdevelopment space went the last 6-8 years completely insane for the lack of a better word . JS workflows have way too many dependencies which not only open then up for supply attacks from all sides e.g React is not build by a company it which is not a software company for others which means Meta can stop supporting the project any moment they like. This is a house of cards. GraphQL and Firebase and such DBs where you have direkt access from the client side is also a super bad idea we knew that even SQL is not good enough for security we have to pack them into PDOs this is a complete violation of security policies . The REST APIs aren't that bad but RPCs are better when you are inside you own applications REST is for 3th party because in RPC you don't have to care of your types(means you need to care in REST) your own I mentioned this because MS dropped their own C# RPC support. I also heard that React Native has a expo which let you update your Android or iOS iPhone app by bypassing their stores which is also a violation of security policies because they bypass their review process.

These attacks are probably are just as common as you think.

You mean yesterday?

On 150 floppy discs, too! The first 12 are nothing but pr0n, of course. One disc is dedicated to nothing but millions and billions of emoji, another is just the Google homepage and nothing else, and so on...

No, step one is to download an orchestration suite that downloads a manifest to compose a fleet of containers so you can run a microservice so you can get syntax highlighting over a socket for some insane reason.

And you think this doesn't affect corporate code? It does.

@@orbatos I'm willing to bet Microsoft can't be bought like that by the Chinese government. Now by the NSA on the other hand...

@@Cafuzzler Lol can't buy what you already have, you mean?

Having a Chinese web page doesn’t mean anything, their page actually footer says made in USA. I hate people know nothing and start jumping into conclusions

@@geliba187 You're right. Just because they have a Chinese site, that doesn't mean they are bad. When they are injecting malware into polyfill.js, then we can conclude they suck dick.

CDNs are fine if you control them (like your own Cloudflare, CloudFront, BunnyCDN, etc account). For an embedded product though, you probably just want to have all the content locally on the system (like you said).

And obviously funnel people into using their hacked versions...

I want to know as well.

Yeah I'm out of the loop lol

same lol

Wanna know

Same here - did the Primeagen just troll us??? Lol

Yup, the fact that websites provide this as an option for their libraries is pure insanity.

Shit had me rolling 🤣

wow, I got it now 🤣

@@redneckcoder As long as you're not using an ancient, unsupported browser version, blocking the script won't break anything at all.

Correct, Subresource Integrity supported by 97.25% of all browsers in the wild.

Yes, please.

The problem is polyfill is dynamically generated based on your browser since that's the whole point of polyfill

@@firen777 they don't have a base script that loads the browser specific one ?

@@autohmae that leaves me thinking: is it really achievable? The current polyfill implementation, as I understand it, is that the server serves you different versions of JS based on your user-agent. (i.e. returns nothing for a modern browser, but returns missing functions for old ones). Therefore, SRI won't work in this case. If we REALLY wanna go for the "base script" approach so that we can have SRI check, then the base script will probably need to check all the possible UA inside the script, fetch the corresponding script as string, checksum the string as makeshift SRI, then eval the string (holy shit).

I am doing the same, like: - This controls the GPU, the only depency is a NVIDIA lib - This interfaces with Win32 and uses a MS lib

@@tablettablete186 When writing software that runs in browser, it doesn't necessarily require any dependencies.

I just raised this at work as well. I'm not a security guy tho. If you don't mind explaining, what needs to be done?

That's the crazy part about it though. Polyfill is specifically designed to generate the js file for each user, so the integrity attribute can't be used.

@@crispybacon1999 yes, but for any other cases you can and should use it. and you could also change the polyfill code to make the JS code responsible for determining which version to use instead of the server doing it based on headers.

I still remember when Linux Mint's ISO got compromised...

@@marioprawirosudiro7301that is not stupid. Because sign is checked when downloading from apt not when it’s just copying files from usb to pc.

@@pranavtaysheti7858 No, it's not stupid. But then again, I never said it was. My reply was because OP's comment about "deranged supply chain attacks" and "Debian" reminded me of Mint's ISO case.

@@marioprawirosudiro7301 sorry I misinterpreted

@@pranavtaysheti7858 It's fine. Anyway, back then the incident freaked me out so much because I was a Mint user at the time. This led me to a wild distro hopping, trying to find something good enough to replace Mint. Settled on elementary OS, though the way they "update" made me move again. Plus, I said "they", but it's really just a single person running the entire operation... My Linux machine (an old laptop) is now on openSUSE (Tumbleweed, installed recently, like a week ago). Running pretty well, for a rolling release.

it does it called Subresource Integrity

But if you still want to use it, you can also just add a hash in the HTML of whatever you are linking.

You could easily publish a phishy minified script to npm after purchasing it and not push the real code to git. At this rate it's inevitable that we're going to see a severe long-running and wide reaching attack in the future. Slack uses Node. And they probably upgrade their dependencies reasonably frequently. We're one crafty SOB away from basically all tech companies getting compromised. That is, if it hasn't already happened.

That would break the vast majority of the internet.

This has nothing to do with cross-site javascript, its just a supply-chain attack because the developer didnt own the domain they were using

​@@asmithdev2162 And anyone that self hosted a trusted copy of the library for their own use isn't affected by this glaring supply chain weakness.

Yah yah

@@Kane0123 Jawohl

That was a "certified American" moment

As a German I object.

@@black-snow Entschuldigung.

Should have been April 2nd, which is the xz exploit.

This goes back much earlier than that. People like Stallman predicted this type of behavior back in the 90s. If you have a deep understanding of technology, a concept of how incompetent the average user is, and knowledge of the motivations of the people causing these types of disasters, then the natural extrapolation ends up being pretty accurate. Which is why we unfortunately have to say, yet again, Stallman was right. I bring up Stallman, because it's still impressive for someone to be able to predict self-deleting digital media back in the 90s, when CDs barely existed. You have to be a genius, or insane (or both) to be able to realize that future was possible, and likely, given the status quo of the time. It's a lot less impressive to see Johnathan comment on these things, because he has the advantage to write software at a time when it's entirely technically possible to cause these supply chain attacks. Like, literally, if he had the money and the motivation, he could conduct that type of attack himself. Given that we've had decades to see these problems, to fix them, and we're still failing in the most basic ways, I have little hope that the average software project avoids these security disasters. After all, it was only within the last decade that SQL injection, a solved problem, moved out of the OSWAP top 10. The average software developer doesn't understand or care about security, and when they do, usually it ends up being "deprioritized" by management, in lieu of more features.

This has nothing to do with npm. It's their cdn that was affected.

Polyfill doesn't use npm, and in fact, using npm would have actually avoided this issue since the JS that's loaded can't possibly change unless you update it to a newer version.

lol yeah how does this not apply to closed source software

We kinda did. The package managers can generate immutable version references, but this wasn't an attack on the library code or the package manager. It was an attack on the CDN that hosted compromised versions of those safe packages. There's not really a good way to avoid that type of attack, as long as you don't host your own CDN.

i knew a jerry huang from school

bro reading you is HARD

@@Gregorius_ yeah, ive re-read my gibberish. its warm at my place.

Bro what r u saying ​@@lyth1um

By picking the wrong tool do you mean requiring that types package?

Thanks for deleting my explanation YT

Not possible to use SRI with polyfill io because the output differs depending on the browser (it only loads the polyfills that are actually needed). Pretty convenient for a supply chain attack!

Unfortunately there's no real way to enforce clauses like that when you're selling to foreign companies