Comment on apps .. repo or not
lemmyng@lemmy.ca 2 months ago
Rant: We’re living in a time where curl | bash
has become normalized. This generation’s security practices are fucked.
Back to the topic: I see it as a problem of not enough education and too much trust. People are not taught how to verify the authenticity and legitimacy of software, and put too much trust in claims of authority. It’s not just a consumer problem either, look at the CrowdStrike incident: people in the industry knew it was shit, but the decision makers kept trusting it because they are a big name. How did they become a big name? The same way a lot of other companies do, by bribing the early decision makers into using them.
Back to consumers: it doesn’t help that there’s no first class sandboxing features. Both Android and iOS rely heavily on app store controls. Sure, there are some system controls, but the user has barely any agency over them.
kristoff@infosec.pub 2 months ago
Well, in principe I do not see that much different between ‘curl | bash’, ‘sudo apt-get install’ or installing an app on your phone. In the end, it all depends on trust.
Considering how complex software has become and on how many libraries from all over the internet any application that does more then ‘hello world’ depend, I do not see how you can do if you are not prepared to put blind trust into some things.
Concerning CrowdStrike, I am just reading an book on human behaviour (very interesting for everybody who is interested in cybersecurity), and I am just on the chapter about the fear of deciding with unknown parameters vs. the fear of not deciding at all. Any piece of software will brake at some point, so will you wait forever to find something that will not have any vulnerabilities?