Trivy (a very widely-used security scanner) was recently compromised. Anyone who installed the aquasecurity/trivy-action dependency by tag rather than by sha during a 3 hour period on March 19 was likely compromised. There is a Github security advisory at https://github.com/aquasecurity/trivy/security/advisories/GH...
6 separate people have tried to submit this to HN. All of the submissions are marked as [dead]. I am unsure whether this is a malicious action taken by the actors who compromised trivy or whether it's just the result of prior spam under github.com/aquasecurity, but regardless it is probably not ideal for security advisories to be auto-marked as [dead].
Please just email us (hn@ycombinator.com) when something like this happens.
Moderators didn't see these submissions or if we did, we didn't know why this project or incident was significant or important.
Now we've seen it, we've boosted the first submission of the incident onto the front page, and updated the URL and title to the most up-to-date/complete page about the incident.
The reason the submissions were being killed is that the GitHub account's address had been banned on HN due to previously being submitted by spam bots.
Oh that's clever. Use the spambot ring to promote the story so that the story gets marked dead because of that! Instead of hiding the news, use the botnet to promote it and use the system against itself.
I've noticed some HN posts get a higher-than-average number of replies from LLM bots. I've wondered if this has a downranking effect due to the upvote/comment ratio, and whether people might be using bots to do this intentionally. Alternatively it could just be that the bots "like" certain keywords more than others.
People tend not to attribute random spam filter breakdowns to the humans moderating content, other than when a specific person suffers over it and takes especial umbrage. It’s more likely that people who visit the story will now have a slightly worse opinion of OP, which sucks because OP is using a poor method to make a good report of a meaningful problem that needed solving. Methods matter! This meeting should have been an email.
Are you asking them to be specific about what they dislike or something?
I feel like the answer to "What practices?" is obvious: "The reason the submissions were being killed is that the GitHub account's address had been banned on HN due to previously being submitted by spam bots."
I was wondering what “moderation practices” related to this story they thought warranted people having a worse opinion of HN moderation? It's unlikely they were referring to automated spam filters.
I did not see it but I was not affected since I had pinned the tag and used a cool down; practices whose value I reminded my coworkers of with this post.
Pinning the tag will not save you - the tags were force-pushed. The cooldown probably did save you but you should check for the indicators of compromise listed on the security advisory page.
Trivy (a very widely-used security scanner) was recently compromised. Anyone who installed the aquasecurity/trivy-action dependency by tag rather than by sha during a 3 hour period on March 19 was likely compromised. There is a Github security advisory at https://github.com/aquasecurity/trivy/security/advisories/GH...
6 separate people have tried to submit this to HN. All of the submissions are marked as [dead]. I am unsure whether this is a malicious action taken by the actors who compromised trivy or whether it's just the result of prior spam under github.com/aquasecurity, but regardless it is probably not ideal for security advisories to be auto-marked as [dead].
Please just email us (hn@ycombinator.com) when something like this happens.
Moderators didn't see these submissions or if we did, we didn't know why this project or incident was significant or important.
Now we've seen it, we've boosted the first submission of the incident onto the front page, and updated the URL and title to the most up-to-date/complete page about the incident.
The reason the submissions were being killed is that the GitHub account's address had been banned on HN due to previously being submitted by spam bots.
Noted and sent. Thanks for all your hard work.
I emailed this post to the mods (using the footer contact link) on behalf of OP so they have a chance to assess and reply.
Looks like the repository URL was marked [dead] for several years, I can't tell why. Best to email the moderator (link in footer).
Big security stories often get republished, one might say reviewed and filtered. For this story I see
opensourcemalware.com - https://news.ycombinator.com/item?id=47449498
stepsecurity.io - https://news.ycombinator.com/item?id=47451081
arstechnica.com - https://news.ycombinator.com/item?id=47464996
and 4 others.
Looking at https://news.ycombinator.com/from?site=github.com/aquasecuri... around 2024 when the dead started, a spambot ring was repeatedly posting it?
( Make need to turn on "showdead"; to see it in the 2024 they have similar posts .. )
Maybe it was intentionally compromised all along.
Oh that's clever. Use the spambot ring to promote the story so that the story gets marked dead because of that! Instead of hiding the news, use the botnet to promote it and use the system against itself.
I've noticed some HN posts get a higher-than-average number of replies from LLM bots. I've wondered if this has a downranking effect due to the upvote/comment ratio, and whether people might be using bots to do this intentionally. Alternatively it could just be that the bots "like" certain keywords more than others.
Please email links to the bot comments to the mods so they can remove this manipulation and its effects.
Yea, this looks like a lingering auto-moderation on the Github repo URL prefix due to past spam attempts.
You should just mail hn@ycombinator.com about this stuff.
Or: write a short blog post about it, and post that, on your (different) domain.
What if their goal is more to raise awareness about HN moderation practices than to fix the problem quickly?
It's certainly worked. Lots of people have seen this and now have a slightly worse opinion of HN moderation.
Probably offset by the people whose opinion of HN moderation will improve as a result of this. Six of one, &c.
People tend not to attribute random spam filter breakdowns to the humans moderating content, other than when a specific person suffers over it and takes especial umbrage. It’s more likely that people who visit the story will now have a slightly worse opinion of OP, which sucks because OP is using a poor method to make a good report of a meaningful problem that needed solving. Methods matter! This meeting should have been an email.
> raise awareness about HN moderation practices
What practices?
Are you asking them to be specific about what they dislike or something?
I feel like the answer to "What practices?" is obvious: "The reason the submissions were being killed is that the GitHub account's address had been banned on HN due to previously being submitted by spam bots."
I was wondering what “moderation practices” related to this story they thought warranted people having a worse opinion of HN moderation? It's unlikely they were referring to automated spam filters.
[dead]
[flagged]
I did not see it but I was not affected since I had pinned the tag and used a cool down; practices whose value I reminded my coworkers of with this post.
Pinning the tag will not save you - the tags were force-pushed. The cooldown probably did save you but you should check for the indicators of compromise listed on the security advisory page.
The release I was on (0.69.3) was immutable.