Maybe it’s a bug, but my false flag alarm bells are ringing loudly here. Although to be fair, they always do that whenever they get a whiff of anything from the modern security theater industry.
Or maybe my mind is wrongly biased towards applying a “Problem - Reaction - Solution” reading to many “commercial” moves.
I didn’t. And I was specifically referring to the published “analysis”.
How do we know the supposedly malicious content (which hasn’t provably affected a single person) a security company finds, didn’t originate from that same company?
Crates NO ONE uses or ever used.
“with over 7,000 all-time downloads” immediately mentioned to make it sound like the above is not the case.
Our “AI” found a malicious base64 (wow, very fancy)!
Muh supply chain!
bla bla China bla bla
It all sounds like a joke, and a lazily written one at that (Edit for fairness: the ctor part was a nice touch tbf).
And this is not limited to this analysis, or this company, or the Rust ecosystem. The era of CVE logos and all that theater can become rather tiring, and AI slop took the silliness to a whole other level. Or as our friend Daniel puts it, it’s a “Death by a thousand slops”.
The CEO of Socket is this guy. I’m not sure that someone with those credentials would be heading a company engaged in what basically amounts to racketeering. Though, I suppose he might be unaware it’s happening. The company has many investors, any of who would benefit from creating an environment that supports the company’s existence without the awareness of any of the employees. But it’s clear this isn’t some scam operation run by desperate people out of India, which was my first thought from reading your comment. There are reputable people with their reputations at stake. It would be a Theranos-level scandal if what you say was actually determined to be occurring. So, on the one hand, there are reputations at stake, and, on the other hand, Silicon Valley is not incapable of committing fraud.
Maybe it’s a bug, but my false flag alarm bells are ringing loudly here. Although to be fair, they always do that whenever they get a whiff of anything from the modern security theater industry.
Or maybe my mind is wrongly biased towards applying a “Problem - Reaction - Solution” reading to many “commercial” moves.
I think you misplaced your comment?
I didn’t. And I was specifically referring to the published “analysis”.
How do we know the supposedly malicious content (which hasn’t provably affected a single person) a security company finds, didn’t originate from that same company?
It all sounds like a joke, and a lazily written one at that (Edit for fairness: the
ctorpart was a nice touch tbf).And this is not limited to this analysis, or this company, or the Rust ecosystem. The era of CVE logos and all that theater can become rather tiring, and AI slop took the silliness to a whole other level. Or as our friend Daniel puts it, it’s a “Death by a thousand slops”.
The CEO of Socket is this guy. I’m not sure that someone with those credentials would be heading a company engaged in what basically amounts to racketeering. Though, I suppose he might be unaware it’s happening. The company has many investors, any of who would benefit from creating an environment that supports the company’s existence without the awareness of any of the employees. But it’s clear this isn’t some scam operation run by desperate people out of India, which was my first thought from reading your comment. There are reputable people with their reputations at stake. It would be a Theranos-level scandal if what you say was actually determined to be occurring. So, on the one hand, there are reputations at stake, and, on the other hand, Silicon Valley is not incapable of committing fraud.