zlacker

[parent] [thread] 13 comments
1. Lammy+(OP)[view] [source] 2026-02-02 04:16:11
Vindicated once again for turning off any update checks the moment I install any new piece of software.

Even if this sort of (obviously rare) attack is not a concern, it baffles me how few otherwise-intelligent people fail to see the way these updaters provide the network (which itself is always listening, see Room 641A and friends) with a fingerprint of your specific computer and a way to track its physical location based on the set of software you have installed, all of which want to check for updates every goddamn day.

replies(4): >>arcfou+p >>derf_+B >>sodali+22 >>nacoza+hN5
2. arcfou+p[view] [source] 2026-02-02 04:20:48
>>Lammy+(OP)
If the people with access to Room 641A want you, you're toast unless you're ready to make some REALLY big digital lifestyle changes that most people would not be amenable to, because you would have to be extremely paranoid on multiple fronts all the time. That kind of heightened vigilance is exhausting and really not worth it.

Threat modeling: it keeps things realistic.

replies(1): >>Lammy+m1
3. derf_+B[view] [source] 2026-02-02 04:24:10
>>Lammy+(OP)
It is baffling to me, as well. You know how you get a remote-code-execution vulnerability? You give a bunch of software permission to fetch code remotely and execute it.
replies(1): >>mmis10+z2
◧◩
4. Lammy+m1[view] [source] [discussion] 2026-02-02 04:32:35
>>arcfou+p
Sorry for assuming you'd be able to extrapolate from one example. It could be at any level of the funnel from your local machine to the wider Internet. Closer to home: this sort of fingerprinting could defeat things like MAC randomization in a PSK-authed business/university setting if those IT departments had some reason to want to track you.

I once worked at a company where the Security team were very proud of this and all the other tricks they used to catch leakers by figuring out who was on campus, where, at what time, usually via fingerprinting personal devices carried alongside corporate devices.

replies(1): >>arcfou+23
5. sodali+22[view] [source] 2026-02-02 04:39:55
>>Lammy+(OP)
How do you deal with the opposite, software that you forget to update but contains vulnerabilities discovered/exploited later?
replies(1): >>Lammy+X2
◧◩
6. mmis10+z2[view] [source] [discussion] 2026-02-02 04:44:55
>>derf_+B
Like… browser? Or anything with script loading capabilities like script engine in games. Executing remote script is almost unavoidable nowadays.

And there isn't really a way to confirm if it is configured in a secure way.

You either trust the developer or not.

replies(2): >>einr+06 >>g-b-r+Ta
◧◩
7. Lammy+X2[view] [source] [discussion] 2026-02-02 04:49:04
>>sodali+22
I use a package manager that checks the hash of the downloaded installer against what's recorded in the package listing for that version. WinGet has been built in to Windows since one of the 2018-era releases of Windows 10: https://i.ibb.co/VYGXdc56/2026-02-01-20-46-28-Greenshot.png
replies(1): >>hypeat+rG
◧◩◪
8. arcfou+23[view] [source] [discussion] 2026-02-02 04:49:52
>>Lammy+m1
Ah, so, in addition to turning off automatic updates (everyone knows patches are for wimps! The real threat is supply chain compromise, not 1-days!), you also have taken all of the other necessary steps to protect yourself from the NSA? What if they just compel Microsoft to backdoor Windows/WinGet against you?

And these updaters almost universally use HTTPS, which network-based adversaries can't see except for SNI, and even that's going away...?

replies(1): >>Lammy+l6
◧◩◪
9. einr+06[view] [source] [discussion] 2026-02-02 05:19:36
>>mmis10+z2
At least JS code in a browser is sandboxed. A Notepad++ update is just rawdogging an executable on your bare metal, perhaps with admin privs even, and hoping for the best.
◧◩◪◨
10. Lammy+l6[view] [source] [discussion] 2026-02-02 05:24:27
>>arcfou+23
> What if they just compel Microsoft to backdoor Windows/WinGet against you?

You are confusing cause with effect. Leaking this type of fingerprint data over time is what allows users of Palantir-like systems to decide you're somebody worth individually targeting.

◧◩◪
11. g-b-r+Ta[view] [source] [discussion] 2026-02-02 06:19:14
>>mmis10+z2
First, it wasn't even the developer who compromised people, here; second, scripts in most cases are orders of magnitude less dangerous than a windows executable.

And, in many cases you can get some protection from a developer going rogue (or not writing perfect code), it's not an all or nothing.

◧◩◪
12. hypeat+rG[view] [source] [discussion] 2026-02-02 11:55:03
>>Lammy+X2
Integrity checks say nothing about the package authenticity, though. State sponsored actors could just... change the hash on the listing in a hypothetical attack.
replies(1): >>Lammy+9a2
◧◩◪◨
13. Lammy+9a2[view] [source] [discussion] 2026-02-02 20:04:24
>>hypeat+rG
“Just” lol

That would be two things that would have to be compromised and redirected simultaneously to malicious versions. Way more likely to be noticed too because one of them would be GitHub, and unless they mirror the entire rest of the package metadata index and keep it up to date for everything else besides their targeted malicious package.

14. nacoza+hN5[view] [source] 2026-02-03 18:04:01
>>Lammy+(OP)
an auto-updater for a text editor is particularly infuriating
[go to top]