zlacker

[return to "Notepad++ supply chain attack breakdown"]
1. ashish+q9[view] [source] 2026-02-03 23:29:06
>>natebc+(OP)
I am running a lot of tools inside sandbox now for exactly this reason. The damage is confined to the directory I'm running that tool in.

There is no reason for a tool to implicitly access my mounted cloud drive directory and browser cookies data.

◧◩
2. troad+9b[view] [source] 2026-02-03 23:38:13
>>ashish+q9
MacOS has been getting a lot of flak recently for (correct) UI reasons, but I honestly feel like they're the closest to the money with granular app permissions.

Linux people are very resistant to this, but the future is going to be sandboxed iOS style apps. Not because OS vendors want to control what apps do, but because users do. If the FOSS community continues to ignore proper security sandboxing and distribution of end user applications, then it will just end up entirely centralised in one of the big tech companies, as it already is on iOS and macOS by Apple.

◧◩◪
3. ashish+kd[view] [source] 2026-02-03 23:48:45
>>troad+9b
It also has persistent permissions.

Think about it from a real world perspective.

I knock on your door. You invite me to sit with you in your living room. I can't easily sneak into your bed room. Further, your temporary access ends as soon as you exit my house.

The same should happen with apps.

When I run 'notepad dir1/file1.txt', the package should not sneakily be able to access dir2. Further, as soon as I exit the process, the permission to access dir1 should end as well.

◧◩◪◨
4. lifeis+3k[view] [source] 2026-02-04 00:28:13
>>ashish+kd
A better example would be requiring the mailman to obtain written permission to step on your property every day. Convenience trumps maximal security for most people.
◧◩◪◨⬒
5. BobbyT+pL[view] [source] 2026-02-04 03:57:02
>>lifeis+3k
The early version of UAC in Windows did that…

Asking continuously is worse than not asking at all…

[go to top]