this post was submitted on 29 Feb 2024
67 points (95.9% liked)

Programming

17424 readers
79 users here now

Welcome to the main community in programming.dev! Feel free to post anything relating to programming here!

Cross posting is strongly encouraged in the instance. If you feel your post or another person's post makes sense in another community cross post into it.

Hope you enjoy the instance!

Rules

Rules

  • Follow the programming.dev instance rules
  • Keep content related to programming in some way
  • If you're posting long videos try to add in some form of tldr for those who don't want to watch videos

Wormhole

Follow the wormhole through a path of communities !webdev@programming.dev



founded 1 year ago
MODERATORS
all 12 comments
sorted by: hot top controversial new old
[–] CubitOom@infosec.pub 22 points 8 months ago

Too bad the phrase fork bomb is already taken

[–] RestrictedAccount@lemmy.world 15 points 8 months ago

This is why we can’t have nice things

[–] Mikelius@lemmy.ml 2 points 8 months ago

Sorta kinda wondering (conspiracy thought, totally no evidence, just a random thing that came to my mind) if this is either an attack on AI or attempt to compromise those who use AI to write their code. Or both.

[–] eveninghere@beehaw.org -2 points 8 months ago* (last edited 8 months ago) (1 children)

I'm thinking that ssh agents aren't safe at all today if I decrypt the secret key upon login. It was always a security issue, but now we probably should assume we have one or two malware installed. No way antivirus can counter these AIs.

[–] Piatro@programming.dev 9 points 8 months ago (1 children)

The risk here is slightly overblown or misrepresented. Just because a fork exists doesn't mean that anyone has even read it, let alone run it on their system. For this to be a real threat they would have to publish packages with identical or similar names (ie typo-squatting) to public package repositories which this article didn't have any information on but which is a known problem long before AI. The level of obfuscation and number of repos affected is impressive but ultimately unlikely to have widespread impact to anyone besides GitHub.

[–] eveninghere@beehaw.org 1 points 8 months ago* (last edited 8 months ago) (1 children)

The thing is, how do I know whether the Debian repo is free of them? Arch user repos? The node.js packages? My pip? The package managers I don't really understand but had to use anyway? Code from my colleagues? My students? Vim plugins?

Every program can do ssh to my critical remote computer if they want to.

And now someone in the chain can land on the wrong github page suggested by Google, which itself is bent to its knees by ChatGPT.

[–] Piatro@programming.dev 7 points 8 months ago (1 children)

Again, this existed before AI. Typo squatting, supply chain attacks, automated package uploads, CI pipeline infection, they're all known attack vectors. That's not to say this isn't a concern, just that it's a known risk and the addition of "AI" doesn't, to my eyes, increase that risk. If your SSH keys don't require a password, you have taken the decision to make those keys less secure but more convenient to use. That's pretty much always the tradeoff in security.

[–] eveninghere@beehaw.org 1 points 8 months ago

I'm talking about the magnitude