|
Cybernetic Vermin posted:uh, didn't precisely this thing happen last year too? yep, and after that incident they changed npm so unpublished packages couldn't have their names hijacked by another user except these packages just fell out of the database entirely so the anti-hijacking system didn't know they ever existed and they got hijacked anyway
|
# ? Jan 6, 2018 21:41 |
|
|
# ? May 28, 2024 23:58 |
|
Can you imagine being the kind of person that builds a production system that completely explodes and then gets random malware installed on it every time some node person fat fingers an update, looks at it, and goes "this is a good design. If there's an outage I will angrily tweet at someone about it".
|
# ? Jan 6, 2018 21:48 |
|
you shouldn't be pulling from npm in production
|
# ? Jan 6, 2018 21:56 |
|
lol just lol if you have to work with npm
|
# ? Jan 6, 2018 22:00 |
|
CommunistPancake posted:you shouldn't be pulling from npm in production or in staging or in development
|
# ? Jan 6, 2018 22:13 |
|
SO DEMANDING posted:I've got an older z77 based board and have to use AI suite 2 (as opposed to 3, the current version). I can't launch the program anymore but the background poo poo still functions including fan control. just have no way of changing it anymore lol. and fat loving chance asus will update the older program. oh, is that why its suddenly and consistently crapping out? not that it ever updated the bios correctly when it worked, but at least everything else was fine. their site barely functioned to check firmware so it feels consistent at least
|
# ? Jan 6, 2018 22:19 |
|
mrmcd posted:Can you imagine being the kind of person that builds a production system that completely explodes and then gets random malware installed on it every time some node person fat fingers an update, looks at it, and goes "this is a good design. If there's an outage I will angrily tweet at someone about it". its me im that person CommunistPancake posted:you shouldn't be pulling from npm in production no you pull from npm on the build server that then pushes to production which is much better
|
# ? Jan 6, 2018 22:20 |
|
tbf i don't think it's a good design and wouldn't touch npm or build poo poo with it with a 10 foot pole if i wasn't being paid big buxx to do it
|
# ? Jan 6, 2018 22:21 |
|
eschaton posted:last I checked a few years ago they didn’t, and I think they still don’t pretty sure they were still making them a few years ago, but they may have stopped recently
|
# ? Jan 6, 2018 22:32 |
|
speaking of npm https://hackernoon.com/im-harvesting-credit-card-numbers-and-passwords-from-your-site-here-s-how-9a8cb347c5b5 quote:Lucky for me, we live in an age where people install npm packages like they’re popping pain killers.
|
# ? Jan 6, 2018 22:34 |
|
Truga posted:speaking of npm Love this bullsht "this is all fictional" at the end
|
# ? Jan 6, 2018 22:58 |
|
article probably is, but it's definitely happening somewhere in npm right now.
|
# ? Jan 6, 2018 23:06 |
|
Trabisnikof posted:Love this bullsht "this is all fictional" at the end and at the beginning
|
# ? Jan 7, 2018 00:04 |
|
Truga posted:speaking of npm erm, so what's stopping someone from doing this in nuget? or any third party library distributed as a dll or whatever other shenanigans for that matter?
|
# ? Jan 7, 2018 01:19 |
|
go play outside Skyler posted:erm, so what's stopping someone from doing this in nuget? or any third party library distributed as a dll or whatever other shenanigans for that matter? Nothing except the good sense of non-JS communities to not add uncountably many random dependencies to their code.
|
# ? Jan 7, 2018 01:25 |
|
go play outside Skyler posted:erm, so what's stopping someone from doing this in nuget? or any third party library distributed as a dll or whatever other shenanigans for that matter? you usually don't pull down a dll from the author's website as part of an install for some reason this is normal practice in production for javascript
|
# ? Jan 7, 2018 01:32 |
|
maybe they’re deleting the repositories because JavaScript is over after all, everyone has it turned off in their browsers now, right? and nobody in their right mind uses it anywhere else.
|
# ? Jan 7, 2018 01:34 |
|
go play outside Skyler posted:erm, so what's stopping someone from doing this in nuget? or any third party library distributed as a dll or whatever other shenanigans for that matter? it's apparently been resolved and here's a terse post about it https://status.npmjs.org/incidents/41zfb8qpvrdj anthonypants fucked around with this message at 01:58 on Jan 7, 2018 |
# ? Jan 7, 2018 01:56 |
|
Cybernetic Vermin posted:motherboards are glorified connector breakout boards these days, as things (memory, disk and bus controllers, graphics, network etc. etc.) have moved into the processor lol just lol things like pci express and especially dram need very careful pcb layout and decoupling to even work these days but it's far worse than that. firmware needs all kinds of customization to get everything working together the more reputable motherboard vendors (i'm thinking of supermicro here, not actually "reputable" but a distinct cut above the gamercrap) will tell you things like exactly which dimms they validated for proper operation in their motherboards. smart people stick to that list because lol relying on auto negotiation and training based on firmware reading the spd eeproms of random dimms is not anywhere near as reliable at generating a 100% stable system as it ought to be what i'm saying in a roundabout way is that "intel provides all of it" isn't actually a thing. yes intel makes all the controllers but that doesn't mean the job's done. system integration to make a functioning motherboard still takes a ton of work, by somebody who is not intel, often working from guidelines and references supplied by intel, but still not intel much of the end product of that system integration work is in the bios so no, you can't just look at the list of ports on a motherboard and say "why yes this should work as well as anything else with the same ports". it doesn't work like that, at all. vendor a can in fact do a much better job at a zillion aspects of making a functioning pcie slot than vendor b, despite the fact that it's the same intel pcie controller both times.
|
# ? Jan 7, 2018 02:29 |
|
intel still makes top-to-bottom server platforms (motherboard included) if for some reason you're not buying from some other tier-1 OEM. i don't believe they make workstation boards any more, and they haven't made consumer motherboards for a few years now. imo, the biggest differences you'll find between most board vendors will be firmware and power component quality. and trust me, you can gently caress up plenty with just lovely UEFI
|
# ? Jan 7, 2018 04:02 |
|
https://twitter.com/0xMatt/status/949827175938637825
|
# ? Jan 7, 2018 04:16 |
|
spankmeister posted:Ken owns yeah i just found his blog a few days ago and i love it my favorite so far is where he wrote the bitcoin hash algorithm for a 1960s ibm mainframe, and it was like 80 seconds per hash.
|
# ? Jan 7, 2018 04:52 |
|
https://twitter.com/_MG_/status/949684949614907395
|
# ? Jan 7, 2018 04:55 |
|
Elder Postsman posted:yeah i just found his blog a few days ago and i love it the disappointing thing is that iirc from reading that bitcoin thing he actually takes bitcoin seriously and thinks it is worthwhile
|
# ? Jan 7, 2018 05:15 |
|
npm is venture backed and incorporated for-profit that's everything you need to know about npm, lol
|
# ? Jan 7, 2018 05:37 |
|
infernal machines posted:intel still makes top-to-bottom server platforms (motherboard included) if for some reason you're not buying from some other tier-1 OEM. i don't believe they make workstation boards any more, and they haven't made consumer motherboards for a few years now. istr the intel server platforms are rebranded tyan
|
# ? Jan 7, 2018 05:39 |
|
go play outside Skyler posted:erm, so what's stopping someone from doing this in nuget? or any third party library distributed as a dll or whatever other shenanigans for that matter? i dunno what nuget is, but most package manager are centrally controlled and curated and fuckups still sometimes happen on the other hand, npm is "anyone can publish anything", and there's absolutely nothing stopping you from doing the thing described in there e: imagine enabling rpmfusion on your production server. that's what npm is, lol
|
# ? Jan 7, 2018 05:42 |
|
https://twitter.com/taviso/status/949804775473737728https://twitter.com/taviso/status/949823393989238785
|
# ? Jan 7, 2018 05:43 |
|
apparently the vulnerability is that it spins up an RPC server on localhost and it had an Access-Control-Allow-Origin header of * which means that any website could send rpcs to your wallet
|
# ? Jan 7, 2018 05:54 |
|
I got a kick out of the oss-security message the other day about a password generator that wasn't very good at its one job:quote:Hi folks, code:
Only now when I went to make this post did I discover that the "senior developer" who runs this project arrived at this state after receiving these previous bug reports: - 2016 bug report: PRNG seeding is done totally wrong - 2015 bug report: qrand always generating the same sequence of passwords At a certain point you should just delete the project and pretend it never existed out of shame.
|
# ? Jan 7, 2018 06:22 |
|
James Baud posted:I got a kick out of the oss-security message the other day about a password generator that wasn't very good at its one job: pass itself actually does this "right" (for the unix definition if "right") and defers to the pwgen program iirc, idk how you could copy it and gently caress that up but lol
|
# ? Jan 7, 2018 06:30 |
|
ate all the Oreos posted:pass itself actually does this "right" (for the unix definition if "right") and defers to the pwgen program iirc, idk how you could copy it and gently caress that up but lol
|
# ? Jan 7, 2018 06:40 |
|
anthonypants posted:because it's cross-platform and windows doesn't have pwgen so cross platform C++ aka a long string of ifdefs
|
# ? Jan 7, 2018 07:00 |
|
James Baud posted:Only now when I went to make this post did I discover that the "senior developer" who runs this project arrived at this state after receiving these previous bug reports: Also Jan 2017 bug report/pull request: Also use win32 crypt api for password generation on windows Q: "[This] Could also be extended to use other apis on other platforms e.g. /dev/random on linux. Does this sound worthwhile or is it being work on elsewhere?" A: "Thanks for this update @treat1, I'll look into the /dev/random and other implements later on "
|
# ? Jan 7, 2018 07:03 |
anthonypants posted:https://twitter.com/taviso/status/949804775473737728https://twitter.com/taviso/status/949823393989238785 https://adam-roberts.co.uk/
|
|
# ? Jan 7, 2018 07:53 |
|
i'm the broken image header
|
# ? Jan 7, 2018 08:08 |
|
infernal machines posted:intel still makes top-to-bottom server platforms (motherboard included) if for some reason you're not buying from some other tier-1 OEM. i don't believe they make workstation boards any more, and they haven't made consumer motherboards for a few years now. who even makes workstation and non-gamercrap consumer Intel-chipset motherboards these days?
|
# ? Jan 7, 2018 08:44 |
eschaton posted:who even makes workstation and non-gamercrap consumer Intel-chipset motherboards these days? everyone but no one if you'll be an old conservative over marketing
|
|
# ? Jan 7, 2018 08:48 |
|
depends on how you define workstation i guess. anything dual-socket will be legit, but there's not much of that. beyond that anything single socket that supports xeons and ecc should count, and gigabyte, asus, et al. have something it's just hard to find unless you go digging for it on their site.
|
# ? Jan 7, 2018 08:55 |
|
|
# ? May 28, 2024 23:58 |
|
there's a fairly major manufacturer of glass curtain-walls in north america that buys nothing but cad stations built around consumer grade motherboards and the 2fast2furious pcgaming videocard of the day, because it saves nearly 50% per workstation over whatever optiplex model and certified drivers don't mean poo poo in cad and solidworks these days
|
# ? Jan 7, 2018 08:59 |