[asveikau]

The heuristics powering this, as well as the Windows Defender whitelisting, are terrible.

My understanding is that a specific binary needs to become popular for it to stop being flagged. This creates a chicken and egg problem. Users are not incentivized to use the program with the warning. But removing the warning requires many people to ignore the warning.

This is a big problem for anyone writing Windows software. An indie developer or small open source project is not going to do well with this.

[csomar]

I found out a similar thing with my website being blocked by corporate firewalls. You need to create profiles at these cyber companies and then wait for whitelisting so that they can drop the ban.

[raxxorraxor]

This is also what I call bullshit security. These mechanisms are designed to chain developers to infrastructure of the OS provider. Apple does the same shit for that matter.

[jasomill]

Does Microsoft get kickbacks from code signing certificate vendors?

Because AFAIK SmartScreen only applies to software downloaded outside the Microsoft Store.

Come to think of it, I suppose it does incentivize distribution through the Store, so you make a good point.

[whateverboat]

This is also happening on linux for me.

[kencausey]

Don't make statements like this without more explanation. In what way is this happening to you specifically? What distribution and platform are you using? Did you explicitly install something to warn you about 'side-loading' executables?

[gruez]

>My understanding is that a specific binary needs to become popular for it to stop being flagged. This creates a chicken and egg problem.

Given the recent npm axios compromise this sounds like a pretty smart move?

[dqv]

How is it a smart move? Here, Microsoft is training users to ignore a security warning. If the same mechanism were added to NPM (that is, a warning that the package is suspicious and for the user to be extra sure they want it), users would have been trained to ignore any security warning issued for the compromised axios version (just like they had ignored it for all previous "clean" versions) and installed it anyway.

[pooploop64]

It has certainly had that effect on me. When I heard that notepad++ was being flagged for something somewhere by someone, all I thought was "so they forgot to pay a protection fee?" Genuinely I thought it was being brought it up just as an indication that the developer may be absent or asleep at the wheel. There is literally no association in my brain between one of these warnings and the concept of software being compromised or not.

And I've seen other less tech inclined people click right through these without a moment's thought. They think it's just one of those things computers have to complain about.

[kmeisthax]

The relevant heuristic in NPM supply-chain compromises would be the age of the specific binary. i.e. a freshly released package is riskier than one that's been around for a few days. So perhaps the policy should be that NPM doesn't install new package versions unless they've been public for 24 hours, or there's a signed override from the package repository itself stating that the update fixes a security issue. Of course, that would also require the NPM team have a separate review process for signing urgent security fixes.

[Frotag]

Conveniently M$ lets you buy a signing certificate to fix this.

https://stackoverflow.com/questions/48946680/how-to-avoid-th...

[pimterry]

EV no longer skips smartscreen either nowadays. I understand that was abused, so it's treated as the same as OV. Having a certificate allows the cert itself to accumulate trust (rather than each binary independently doing so) and provides better UX and I suspect an initial small boost to trust signal, but doesn't bypass the initial distrust. There's no way to avoid that AFAICT and even if you're an established business you hit it at intervals because all these certificates expire and so the whole process resets every few years anyway. What a mess.

[gruez]

>There's no way to avoid that AFAICT and even if you're an established business you hit it at intervals because all these certificates expire and so the whole process resets every few years anyway. What a mess.

Maybe have overlapping sets of certificates and dual sign your binaries? That way there's always an "aged" certificate available.

[burnte]

> EV no longer skips smartscreen either nowadays. I understand that was abused

EV was always going to be abused. It started out promising to be a human verified, $10k cert that meant you were GUARANTEED to be who it said you were. Now I can get one for a couple hundred bucks.

The solution is to separate identity from encryption. They never should have been linked.

[asveikau]

> EV no longer skips smartscreen either nowadays.

Not sure of the exact number, but the "nowadays" here is more than a decade.

[asveikau]

Last I checked they can still quarantine your binary if it's properly signed and they decided it hasn't gained traction.