undefined | Better HN

0 pointsjpalawaga7mo ago0 comments

So we’re declaring all software with auto-updaters as RCE? That doesn’t seem like a useful distinction.

0 comments

Software that automatically phoned home to check if an update is available used to be considered spyware if there wasn't a prompt at installation asking if you wanted that. The attitude was "Why should some company get my IP address and a timestamp telling them when/how often I'm online and using their software?" Some people thought that was paranoid.

We gave them an inch out of fear ("You'd better update constantly and immediately in case our shitty software has a bug that's made you vulnerable!") and today they've basically decided they can do whatever the fuck they want on our devices while also openly admitting to tracking our IPs and when/how often we use their software along with exactly what we're using it for, the hardware we're using, and countless other metrics.

Honestly, we weren't paranoid enough.

marshray7mo ago

From the perspective of the software vendor, it may be a semi-regular occurrence that they learn that users are being actively harmed by a software vulnerability exploited in-the-wild. So that's an argument that developers have a moral obligation to maintain the ability to push updates their users without delay.

Waiting for the user to click "Check for updates..." is effectively pushing this responsibility onto the users, the vast majority of whom lack the information and expertise needed to make an informed choice about the risk.

CGamesPlay7mo ago

We're talking about Claude Code, the frontend to the online, hosted LLM inference suite, right? The auto-updater isn't where they get their usage metrics.

skydhash7mo ago

That’s pretty much the definition. Auto updating is trusting the developer (Almost always a bad idea).

mr_mitm7mo ago

Simply running the software means trusting the developer. But even then, do you really read the commits comprising the latest Firefox update? How would I review the updates for my cell phone? I just hit "okay", or simply set up auto updates.

skydhash7mo ago

I trust Debian, and I do trust Firefox. I also trust Node, NPM, and Yarn. But I don’t trust the myriad packages in some rando projects. So who I trust got installed by apt. Anyone else is relocated to a VM or some kind of sandbox.

1 more reply

j / k navigate · click thread line to collapse

0 comments

autoexec7mo ago

Honestly, we weren't paranoid enough.

marshray7mo ago

CGamesPlay7mo ago

We're talking about Claude Code, the frontend to the online, hosted LLM inference suite, right? The auto-updater isn't where they get their usage metrics.

skydhash7mo ago

That’s pretty much the definition. Auto updating is trusting the developer (Almost always a bad idea).

mr_mitm7mo ago

skydhash7mo ago

1 more reply

j / k navigate · click thread line to collapse