If you download and install untrusted code extensions, you’re screwed. Not like it’s rocket-science.
As we push more average Windows users to Linux, we need to be prepared for these users to download and run completely untrusted code.
Let’s be honest, how many current Linux users can trust any code that they run? There’s so many guides and instructions where you essentially copy/paste commands to install or configure something that it would be difficult for your average user to verify everything.
If you feel overwhelmed by this, an easy rule of thumb is sticking to distro packages of a trusted dist. Ideally ones with long track record, centralized packaging and tiered rollouts.
Roughly,
-
High community trust: Debian, SUSE, Fedora, Ubuntu
-
Depends on the package but at least everything is transparent with some form of process, contributors vetted, and a centralized namespace: Arch, Alpine, Nixpkgs
-
Anything and anyone goes, you are one typo away from malware but hey, at least things get taken down when folks complain: AUR, GitHub, NPM, DockerHub, adding third-party ppa/copr
-
IDGAF:
curl | sh
-
With no indication that VoidLink is actively targeting machines, there’s no immediate action required by defenders, although they can obtain indicators of compromise from the Checkpoint blog post.
Don’t click on the article. It’s an AI regurgitated summary and internet rot site.
You’re welcome.
Did you just call Ars Technica an “internet rot site”?
Good way to make it obvious you don’t know what you’re talking about without saying you don’t know what you’re talking about.
Do I need to repeat myself or is your skull too thick? Try using those links in a year from now Ars is literally an Arse of the tech industry.
Ok, noted. Troll identified and blocked.
“oh no someone said the truth but it hurts my feelings” blocked
