I've developed a few browser extensions, and every week I receive numerous emails with "revenue offer". Some experienced developers know that offers like these will inject malware into the browsers of your users, but scammers who make these offers will not tell you about it. They offer "integrations" that don't look so suspicious. Imagine how many developers have accepted these offers. Then look at the number of extensions in your browser and think about how much risk there is that you have an extension with malware.
You must log in or register to comment.
A place to discuss privacy and freedom in the digital world.
Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.
In this community everyone is welcome to post links and discuss topics related to privacy.
Some Rules
- Posting a link to a website containing tracking isn’t great, if contents of the website are behind a paywall maybe copy them into the post
- Don’t promote proprietary software
- Try to keep things on topic
- If you have a question, please try searching for previous discussions, maybe it has already been answered
- Reposts are fine, but should have at least a couple of weeks in between so that the post can reach a new audience
- Be nice :)
Related communities
Chat rooms
-
[Matrix/Element]Dead
much thanks to @gary_host_laptop for the logo design :)
- 0 users online
- 57 users / day
- 383 users / week
- 1.5K users / month
- 5.7K users / 6 months
- 1 subscriber
- 2.47K Posts
- 58.8K Comments
- Modlog
The author of the article doesn’t appear to understand that confidence games don’t depend on how skilled someone is in their field; they are usually a statistical attack depending on a small percentage of any population being credulous about any offer at any given time.
The only way to defend against these scams is defense in depth, via publishing requirements, policies, policy review, code review and security testing.
I should also point out that OSS has come under heavy attack recently with attackers leveraging the dependency chain to trick OSS developers into installing malicious libraries that look a lot like the legitimate versions. Often they create developer identities on GitHub, create a single legitimate project, and do some legitimate commits to a range of other projects. Then they stand up another account and use it to create trojanized libraries, and then switch their now popular project to use the malicious libraries. In some cases, their popular project is a library itself, so every project with dependencies on that library automatically inherits its malicious dependency.
These days, assume that code is likely compromised no matter where it’s from, and do your reviews and testing and set your policies accordingly.
Why post in two communities without crossposting? The comments in the other thread were helpful. This is just shillposting, the way you’re doing it.
There is a simple solution to this. Just don’t use proprietary software
Yes in theory, but you have to vet the libraries you add to be really sure, even these “integrations” might be open source and still be malicious, because they prey on the lazy devs (…don’t look at me 👀) that would just look at the license and say “ah it’s MIT, all good then”.
To be honest, they would also need to be either very gullible or desperate to fall for such an offer, open source devs usually don’t go around offering get rich quick schemes