Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

There seems to be no need for ZIP. There seems to be no need for PDFs in it. Everything that is in PDF most likely could be presented by webpage/HTML/etc. Therefore yes, I complain that the files are compressed.

The need of downloading anything might be the point of that game, but people spreading viruses also like playing that way.



¯\_(ツ)_/¯ I trust my unzip utility and my pdf viewer just as much as I trust my browser.

I might have agreed with you 15 years ago, back in the age of antivirus and such.


>I trust my unzip utility and my pdf viewer just as much as I trust my browser.

The parent commenter is suggesting the random file may be malicious, not that their unzip utility or pdf viewer is untrustworthy.

They are further suggesting that the data contained within the zip could be distributed in a fashion that is less commonly weaponized (PDF is a common attack vector, zip is a common obfuscation method).

>I might have agreed with you 15 years ago, back in the age of antivirus and such.

What does this even mean? You still need antivirus today.


With their final statement, I think they are essentially stating that AV was a better shield 15 years ago and I don't disagree in a general sense.

Today's AV has to be more than it was in the past to be a successful shield, hence products like CYNET or CrowdStrike.

I still run AV at home on all systems, because I agree with you. AV is still needed and people without it...well, I wish them success.


Some of us don't open HTML e-mail or click on every ad banner they see. Some don't even see ads!

An AV is a waste of system resources unless you're a fool that's easily convinced into opening things you shouldn't.


>An AV is a waste of system resources unless you're a fool that's easily convinced into opening things you shouldn't.

Did Malware write this? lol


All I use is an adblocker and I've not dealt with malware in over a decade. Turns out if you stay away from shady places on the Web and don't click everything shoved in your face, you can keep a clean machine.

Meanwhile, I know plenty of people WITH antivirus and other shit with utterly compromised and slow shit. We can blame the user behavior instead of the antivirus, naturally, but how do we know the AV is protecting the user and not luring them into a sense of security so that they do risky things?

I'm clearly doing something right.


If ads and email were the only vectors of attack, I'd have a much easier job.


> The need of downloading anything might be the point of that game, but people spreading viruses also like playing that way.

I think that you underestimate the capabilities of modern malware, and overestimate the capabilities of the average lazy person.

Modern malware doesn't need this "download and execute" flow to activate. It exploits vulnerabilities in browsers and browser components to achieve arbitrary code execution. One click required (the one that leads you to the malware) [1].

A malware flow with manual downloading that leaves persistent breadcrumbs on your computer has more opportunities where a "real-time protection" antivirus can detect and stop the threat, so it's no longer the norm outside email attachments.

[1] https://github.blog/2023-09-26-getting-rce-in-chrome-with-in...


I don't see how what you're proposing makes sense.

It can't provide value to laypeople who're cutoff from the internet if all that's passed around is a URL.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: