• 2 Posts
  • 5 Comments
Joined 1 year ago
Cake day: June 14th, 2023
  • OmnipotentEntity@beehaw.orgtoProgramming@beehaw.orgMalicious VSCode extensions with millions of installs discovered
    8·
    22 days ago

    Not quite. Their “malicious” extension only got a few hundred installs. Using the data gathered by that extension and via other means they were able to locate other actually malicious extensions. Those total in the millions of installations.

    Through this process, they have found the following:

    1,283 with known malicious code (229 million installs).
8,161 communicating with hardcoded IP addresses.
1,452 running unknown executables.
2,304 that are using another publisher's Github repo, indicating they are a copycat.
  • OmnipotentEntity@beehaw.orgOPtoProgramming@beehaw.orgDo Users Write More Insecure Code with AI Assistants? (arxiv paper)
    4·
    5 months ago

    Well, the problem is you don’t know what you don’t know. One of the first example tasks in the paper was regarding implementing a symmetric cipher. Using a weak cipher was recommended by AI tools sometimes, these developers didn’t know that some ciphers were weak. Additionally, even when the AI tool recommended a strong cipher, such as AES, it generated code that screwed up an implementation detail (failing to return the authentication tag), making the result insecure. And the user didn’t know it was wrong because they didn’t know it was incomplete.

    There’s no substitution for domain specific knowledge. Users who were forced to use traditional tools got the answer correct significantly more often because they had to read, process, and understand the documentation for the libraries, which meant they understood why the symmetric cipher was the way it is, and what additional information needed to be reported and why.