zlacker

That's the most honest assessment you can expect from any small-scale developer. What do you expect them to say or do? Their adversary is presumably a national intelligence agency of a superpower.

The odds may be better if you operate the way OpenSSH does: move slow, security first, architect everything to be very difficult to attack. But if you're building a text editor, it's not your mindset, and probably never will be.

>>the_fa+(OP)
Yup, the only way to combat this as a smalltime dev would be to turn off auto updates and make people build from source.

>>xeroma+x1
yea `curl <url> | gcc` is much safer...

>>xeroma+x1
Why woul building from source be safer? Are you veting every single line of third-party source code you compile and use?

>>tjwebb+y2
Security through ..rarity? Maybe not for nation state actors though.

>>m-schu+43
You're sure not vetting any byte of an executable, so building from source is safer.

>>the_fa+(OP)
and yet OpenSSH was almost the victim of a giant hack too (xz-utils)

>>the_fa+(OP)
> The odds may be better if you operate the way OpenSSH does: move slow, security first, architect everything to be very difficult to attack. But if you're building a text editor, it's not your mindset, and probably never will be.

I mean, if you look at the Notepad++ website this developer seems just as concerned at spamming political messaging all over everything as much as he is with writing the software he's distributing. It's pretty crazy he apparently didn't think to take more basic precautions given he is basically permatrolling Russia and China with his messaging. Big brain moment for him. And meanwhile, after reading that disclosure nonsense none of us even know what's going on - like, should we be formatting machines that were affecting during that timeframe? Was the attack targeted and specific only? Who the fuck knows!

>>g-b-r+K7
Binaries or source, it's pretty much the same unless you thoroughly vet the entire source code. Malicious code isn't advertised and commented and found by looking at a couple of functions. It's carefully hidden and obfuscated.

>>m-schu+ok
That's

However much the code is hidden and obfuscated, some parts of the source code are going to be looked upon.

For a binary, none, ever, except in the extremely rare case that someone disassembles and analyzes one version of it.

The fact that open-source doesn't coincide with security doesn't mean that it isn't beneficial to security.

>>avazhi+pg
First, you're getting upset at a random person on the internet for expressing their political views. Second, your objection almost certainly has nothing to do with this attack. It targeted some specific subset of users of Notepad++, not the maintainer.

>>the_fa+n51
You think the developer/publisher/maintainer of software as ubiquitous as Notepad++ is some 'random person on the internet'? Or are you referring to the commenter I was replying to?

I definitely am not upset at the commenter I replied to, and while I'm definitely upset at the maker of Notepad++ I don't think he qualifies as some random person on the internet. If you publish software that security conscious people use (and certainly Notepad++ is used by tech savvy security-conscious people) then you, really by definition, aren't some random person - that's kinda the whole point. Security conscious and tech savvy people tend not to install things from random people on the internet.

Notepad++ was a trusted website/trusted developer, and they got caught with their pants down doing some truly dumb and lazy shit, and then they published a blogpost that doesn't explain much of anything. So yeah, that's pretty infuriating my friend.