Posted on 01/14/2022 7:53:49 AM PST by ShadowAce
Chances are unless you're a JavaScript programmer, you've never heard of the open-source Javascript libraries 'colors.js' and 'faker.js." They're simple programs that respectively let you use colored text on your node.js, a popular JavaScript runtime, console, and create fake data for testing. Faker.js is used with more than 2,500 other Node Package Manager (NPM) programs and is downloaded 2.4 million times per week. Colors.js is built into almost 19,000 other NPM packages and is downloaded 23 million times a week. In short, they're everywhere. And, when their creator, JavaScript developer Marak Squires, fouled them up, tens of thousands of JavaScript programs blew up.
Thanks, guy.
This isn't the first time a developer deliberately sabotaged their own open-source code. Back in 2016, Azer Koçulu deleted a 17-line npm package called 'left-pad, 'which killed thousands of Node.js programs that relied on it to function. Both then and now the actual code was trivial, but because it's used in so many other programs its effects were far greater than users would ever have expected.
Why did Squires do it? We don't really know. In faker.js's GitHub README file, Squires said, "What really happened with Aaron Swartz?" This is a reference to hacker activist Aaron Swartz who committed suicide in 2013 when he faced criminal charges for allegedly trying to make MIT academic journal articles public.
Your guess is as good as mine as to what this has to do with anything.
What's more likely to be the reason behind his putting an infinite loop into his libraries is that he wanted money. In a since-deleted GitHub post, Squires said, "Respectfully, I am no longer going to support Fortune 500s ( and other smaller-sized companies ) with my free work. There isn't much else to say. Take this as an opportunity to send me a six-figure yearly contract or fork the project and have someone else work on it."
Excuse me. While open-source developers should be fairly compensated for their work, wrecking your code isn't the way to persuade others to pay you.
This is a black eye for open-source and its developers. We don't need programmers who crap on their work when they're ticked off at the world.
Another problem behind the problem is that too many developers simply automatically download and deploy code without ever looking at it. This kind of deliberate blindness is just asking for trouble.
Just because a software package was made by an open-source programmer doesn't mean that it's flawless. Open-source developers make as many mistakes as any other kind of programmer. It's just that in open source's case, you have the opportunity to check it out first for problems. If you choose to not look before you deploy, what happens next is on you.
Some criminal developers are already using people's blind trust to sneak malware into their programs. For example, the DevOps security firm JFrog recently discovered 17 new JavaScript malicious packages in the NPM repository that deliberately attack and steal a user's Discord tokens. These can then be used on the Discord communications and digital distribution platform.
Is that a lot of work? You bet it is. But, there are tools such as NPM audit, GitHub's DependendaBot, and OWASP Dependency-Check that can help make it easier.
In addition, you can simply make sure that before any code goes into production, you simply run a sanity check on it in your continuous integration/continuous distribution (CI/CD) before deploying it to production.
I mean, seriously, if you'd simply run either of these libraries in the lab they would have blown up during testing and never, ever make it into the real world. It's not that hard!
In the meantime, GitHub suggests you revert back to older, safer versions. To be exact, that's colors.js 1.40 and faker.js 5.5.3.
As CodeNotary, a software supply chain company, pointed out in a recent blog post, "Software is never complete and the code base including its dependencies is an always updating document. That automatically means you need to track it, good and bad, keeping in mind that something good can turn bad." Exactly!
Therefore, they continued, "The only real solution here is to be on top of the dependency usage and deployment. Software Bill of Materials (SBOMs) can be a solution to that issue, but they need to be tamper-proof, queryable in a fast and scalable manner, and versioned.
CodeNotary suggests, of course, you use their software, Codenotary Cloud and the vcn command-line tool, for this job. There are other companies and projects that address SBOM as well. If you want to stay safe, moving forward you must -- I repeat must -- use an SBOM. Supply chain attacks, both from within projects and without, are rapidly becoming one of the main security problems of our day.
> wrecking your code isn’t the way to persuade others to pay you.
I don’t know. I think this is sort of tough shit for corp mgrs allowing immature nerds to make important decisions.
And not taking responsibility for their own branches (which would prevent a live shutdown as described in this article).
And preventing real, trustworthy software engineers longfrom making important decisions.
The web is still to a large extenat a fool’s paradise. Whatever real smarts the inventors 25 years ago is mostly gone; certainly not carried on in the newer folks - a bunch of vain __ssies.
> wrecking your code isn’t the way to persuade others to pay you.
I don’t know. I think this is sort of tough shit for corp mgrs allowing immature nerds to make important decisions.
And not taking responsibility for their own branches (which would prevent a live shutdown as described in this article).
And preventing real, trustworthy natural-born American software engineers from making important decisions.
The web is still to a large extenat a fool’s paradise. Whatever real smarts and “vision” the inventors 25 years ago had is mostly gone; certainly not carried on in the newer folks - a bunch of vain __ssies.
# This complete reliance on Smart This, Smart That and the Cloud is Mass Suicide.
Absolutely agreed. Bruce Schneier recently published a book called “click here to kill everyone”
Here's the Aaron Swartz stuff - YMMV.
Aaron Swartz murdered? Hmmm.
That would contradict the official story line as told by the MSM liars.
Food for thought - https://chronicle.su/news/aaron-swartz-was-murdered/
I just installed a new garage door opener yesterday and they are trying to get me to install an app so Amazon can open my door. What kind of shit is this?
Of course they do. After all, if it works on their machine it must be OK, right? /s
You would be surprised at how many sheep today think it GREAT that Amazon can open their garage door STUPID PEOPLE!!
A company I worked for in the ‘90s had a guy like that. Put deliberate bugs in the code so that he could fix them later. He got fired when it was discovered.
# I just installed a new garage door opener yesterday and they are trying to get me to install an app so Amazon can open my door. What kind of shit is this?
People are dumb. My stereo keeps wanting me to allow internet access. I keep saying “not just no, but hell no!”.
I like being able to control volume and such from an app while I’m on my local lan, but there is no reason whatsoever to be able to control it from the internet itself.
Fortunately, I can restrict outbound and inbound access via my router’s ACLs and firewalls
Not in OUR corporation. We undergo rigorous SIT and UAT, and test cases are generated from Acceptance criteria in the Stories.
Also, we have a Security Scan that spans all third party libraries and any open source material.
In fact, for a deploy to even be allowed, there must be at least one test-case for every acceptance criteria bullet point, as well as a passed third-party security scan (among many other things)
You’re not quite clear of the definition of ‘hyperbole’, are you?
I had some Russian offshores, back in the late 90’s, who would write the most convoluted code possible.
I finally asked one of them why. He told me, “In the former Soviet Union, to keep your developer job, you had to be the only one who could maintain it.”
TIP. Test In Production.
There are a gazillion stations but sound quality varies. I like the German Stations because the commercials are in Deutsch and like having no commercials at all. Sometimes you hear interesting stuff.
Yeah, if you are serious you must have QA and testing processes in place. Always amazing when stuff goes live without even basic testing.
Bookmark
" And, of course, nobody tests anymore... "
Now THAT is hyperbole! But that no creature of this world routinely speaks and writes using such a vast scope of expressive genres is not. Imagine a person from 200 years ago trying to understand descriptions such as "Cardinals sluggers slaughter Orioles hurler in gaining division crown." They might have thought someone lost their marbles.
What open source is really like.
Fast and right would be ideal, but in the real (non ideal) world you have to use what is the best tool for the job. For mission critical applications where a tiny bit of speed can be sacrificed (eg banking, finance..etc) a no nonsense rock solid language like Java is ideal, especially with its rich ecosystem like Spring and JEE.
For others that are heavily I/O or R/W oriented like say a microblogging site with hundreds of thousands of users logging in and out and continually posting messages, multithreaded Java would not only slow things down but also hog resources (= high cloud services bill). This is where Node with its single threaded/ non-blocking nature would shine. Gab for example used to be on a more traditional platform like .Net or Java, I don't remember which. But as users spiked, especially after Trump was banned from Twitter, they started migrating to Node because Node was best at handling their specific use case. The more tools in your toolbox and knowing which to use when, the better.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.