I think he's referring to your "defanging" which you implied was security relate...

fieldcny · on Jan 1, 2024

They are making you think about what you are doing before you click the link. that’s not theatre that’s keeping people from clicking arbitrary links to zip files which can auto-execute code once downloaded.

I’d suggest that those who think it is theatre probably don’t understand the implications of that action.

IshKebab · on Jan 1, 2024

We understand exactly the implications of that action. There are no implications.

Simply downloading a zip from Amazon has zero risk. Even opening an arbitrary zip has essentially zero risk. RCE from opening a zip is obviously a really critical and valuable vulnerability and would not be wasted with a public link.

Combine that with the fact that this comes from a voice cloning GitHub repo and the chance of this having some 0-day are infinitesimal.

Finally just making the link non-clickable does not add security. Nobody can take any action to increase their security because they have to slightly edit a link (not that they would because it's sensible a clickable link in the GitHub readme).

So yes, I fully understand the implications and it is definitely security theatre.

I suggest that those who think that it isn't probably haven't really thought about the threat model.

peddling-brink · on Jan 2, 2024

I'll be honest. You've put way more thought into this then I did.

But in the spirit of hacker news, I'll continue the argument.

> There are no implications.

Untrue and absolutist.

> Simply downloading a zip from Amazon has zero risk.

Agreed.

> Even opening an arbitrary zip has essentially zero risk. RCE from opening a zip is obviously a really critical and valuable vulnerability and would not be wasted with a public link.

Broadly agreed. History is full of unzip vulns, but I agree that this doesn't seem likely. Much easier to persuade folks to deliberately run their malware by using the latest fad as a hook. I'm not claiming that happened here.

> Combine that with the fact that this comes from a voice cloning GitHub repo and the chance of this having some 0-day are infinitesimal.

Maybe you know these authors and this repo and trust them. I don't. I'm sure they are lovely, I have no idea, I've done no research, and I've never heard of them before. That being said, if I wanted to distribute a backdoor or cryptominer to a bunch of people with powerful computers, I'd definitely hop on the AI bandwagon.

> Finally just making the link non-clickable does not add security.

I disagree. Some of the commenters here are rather savvy and will properly evaluate what they are downloading. Some are not. Making a link unclickable will prevent a percentage of people from downloading. If shenanigans are discovered, someone will make a very loud comment warning folks to avoid the download. In that case some of those non-downloaders may have been saved from themselves.

Again, this wasn't a well thought out decision, but it was also a rather low impact decision, and I stand by it.

booleandilemma · on Jan 2, 2024

People like the parent routinely download all of the random zip files off the web that they can get their mouse cursors on. Nothing is going to stop them.

IshKebab · on Jan 2, 2024

Yep. I don't worry about non-existent threats. Nothing is going to stop me because there is no risk. Have you ever been owned by downloading a zip? Me neither.

IshKebab · on Jan 2, 2024

> That being said, if I wanted to distribute a backdoor or cryptominer to a bunch of people with powerful computers, I'd definitely hop on the AI bandwagon.

And write and entire novel research paper and open source the code and put it on GitHub? No you wouldn't. Don't be ridiculous.

peddling-brink · on Jan 3, 2024

> And write and entire novel research paper and open source the code and put it on GitHub? No you wouldn't. Don't be ridiculous.

You are moving the goalposts, why?

Regardless, generating a plausible sounding paper with source code is trivial with gpt4. Obviously it wouldn’t withstand scrutiny, but neither would my coinminer.

arccy · on Jan 1, 2024

just downloading a zip file won't auto execute anything. and you can't meaningfully review it without downloading it, so it pretty much is security theatre

seabass-labrax · on Jan 1, 2024

On which operating systems can Zip files automatically self-execute? Android .APKs come to mind, although in this case, Android asks you whether you want to install the application and thus gives you a chance to prevent the execution.