|
|
|
|
|
|
by uqual
64 days ago
|
|
|
I can see some justification for not notifying developers of their actual pending suspension if they have not acted on prior notifications requiring verification steps. Suppose a developer account, say that associated with VeraCrypt, had been compromised and the compromiser knew or feared they were unable successfully pass verification. The compromiser could be exploiting their access to modify the product in profitable but fairly benign ways (say making VeraCrypt part of a botnet that didn't do any damage to the host beyond consuming some resources). However, if they got a message saying "Your account will be suspended in 12 hours if you do not pass verification", the compromiser would know that their profit would/could drop or go away. In response, they might push out one last "mandatory auto install" update with a nuclear bomb (perhaps with a delayed trigger) to just do malicious damage to hosts out of spite. |
|
|