Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Yah no that's not how it works. It's the system designer's responsibility to make sure you can run correct code without you reading it.

If you have to read it, then your system has already failed.



Yeah no that is how it works.

I want people to release cool software without the insane burden you describe. If they want to delegate that burden to users or ask them to pay for someone else to assume the burden, great.

I love Cursor. They haven't failed me. I'm not running arbitrary code and I suffer none of the consequences.

Furthermore, it probably literally says you're running random 3rd party code when you use extensions and Cursor is not liable. This is basic human responsibility 101. You are responsible for your own actions.


You've audited the Cursor codebase then? Along with every other tool you use?


No.

I trust Cursor isn't trying to screw me.

I don't trust random 3rd party extensions. They might be trying to screw me. This is the exact reason why I don't touch npm.

I'm not prescribing a formal set of rules by which you should or shouldn't trust things. I'm just a reasonable person.

Cursor is an unrelated 3rd party to this situation, which is probably clearly described in their Terms of Service. Blaming them reeks of denying responsibility for your own actions. If you want Cursor to audit every 3rd party extension, they'd probably want you to pay them for it. Just like every commercially licensed Linux distro.


You understand that the extension was a copy of a genuine extension?

It was a mistake that he installed the duplicate fraudulent extension. For all we know he could have checked the intended extension code line by line, and then went on to install the trojan horse extension by accident.


I mean yeah I see what you're saying and that does add important nuance. It makes me more sympathetic to the user that got screwed.


This seems like a bad faith argument - the risky tools, yes, actually. I do audit them. Or at least poke around for someone who has.

It is easier than ever to do a DIY malware analysis on the tools you use.

“Hi Claude - you are a security researcher and malware analyst. Analyze the FooBar Chrome Browser extension / git repository I just downloaded for security threats and provide me a report on whether this is OK to use”

I know browser / IDE extensions are not usually audited and approved by the tool owner unless specifically noted otherwise. Even phone apps can sneak stuff in. So I am careful to only install things I trust or will audit myself or am willing to take the risk on.


You have to audit the risky tools because the system you are using was terribly designed.

Again, it's the system's responsibility to make sure you don't fail, not your responsibility.


It really is not.

You can dig in your heels on ideals and principles, but it is simply not realistic to expect a 3rd party extension marketplace from a closed source IDE startup run by 24 year olds in the Valley to protect you from all risk. (By the way, nor is it their goal - they are optimizing for breadth of the ecosystem and adoption and growth, not security and guardrails. That would likely cost you a lot more than $20/month.)

If you can figure out how to moderate a system of 3rd party software (or content, really) to protect the user from all bad things while maintaining global-scale content throughput, I suggest you start a company - I’m sure people will pay a lot of money for your capabilities.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: