> Somehow, we've all just accepted that it's totally normal to install tools from random strangers that can
Some people do this without thinking much about it. Not all of us. This is not normal nor ok.
Predicting this kind of attack was easy. Many of us probably did. (I did.) This doesn't make me feel much better though, since (a) I don't relish when lazy or ignorant people get pwned; (b) there are downstream effects on uninvolved people; and (c) there are classes of attacks that are not obvious to you or me.
Stay suspicious, stay safe. There are sharks in the water. With frikin' laser beams on their heads too.
I'm running linux, millions of lines of code i never verified, and may or may not have been verified by trustworthy people. In the end it's one big risk. When i'm developing in go, it's pulling in many lines of code i don´t have time for to validate, same with java, so many jars. Who knows what i'm running...
I don’t know where to start with the comment above. First, different code bases receive different levels of scrutiny, so factor this in. Second, there are tools that can help with supply chain security. Third, security isn’t all or nothing; we can and do make decisions under uncertainty. Fourth, who is accountable when things go badly?
And every distro has a different mix of packages that they install by default. There's no "standard" linux installation.
And cosmic rays could cause bit flips, causing a patient record to have an undetectable error, leading to a surgeon removing the wrong kneecap.
I’m exaggerating to make a point here. If one builds a threat model, one can better allocate one’s attention to the riskiest components.
All of us operate in an uncertain world. Flattening this into “it is all a mess” isn’t useful.
Saying “machines are dangerous” or “we all die sometimes” isn’t fitting after Randall is maimed and pulverized from a preventable industrial accident where the conveyer belt dragged him into a box forming machine. Randall should not wear long sleeves. Randall should not have disabled the “screaming means something has gone wrong” sensors. Randall should not run the system at 5X speed while smoking meth.