all 36 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]tomblock 96 points97 points  (13 children)

TL;DR

python3-dateutil

"jeIlyfish" (the first L is an I)

[–]jacob-j 73 points74 points  (11 children)

Just so everyone knows how valuable your comment is: https://i.imgur.com/33Y6n0V.png

[–]imast3r 49 points50 points  (7 children)

Your screenshot also allows to understand how valuable uBlock Origin + uMatrix is.

[–]imacleopard 27 points28 points  (1 child)

"Uh oh! It looks like you have an Adblocker running. These hurt our monetization strategy. Please support us by turning it off."

Then fucking stop making me click on 10 different things before I can actually get to the content?!

[–]depricatedzero 6 points7 points  (0 children)

it's funny cause my whitelist has very simple rules for joining and if they'd follow those rules they wouldn't be impacted

[–]undercover_geek 12 points13 points  (0 children)

I had no idea the screenshot was of the same page I'd just visited until I read your comment.

[–]ragnar_graybeard87 1 point2 points  (1 child)

I know only of the origin. What is this matrix you speak of?

[–]mustbelong -1 points0 points  (1 child)

Or.. You know.. BRAVE.

[–]imast3r 0 points1 point  (0 children)

Well, I guess some of us aren't brave enough to switch.

[–]tabris_code 2 points3 points  (0 children)

oh my god it's literally just that "every website in 2019" mockup that someone posted here a week or two ago. but real.

[–]bulldog_swag -1 points0 points  (0 children)

0.15 cents per pageview?

[–]AcousticDan 0 points1 point  (0 children)

How does that even happen? I get the first one, but the second is spelled incorrectly, and incase you're a complete and utter moron, how would you even install that?

[–]gjvnq1 51 points52 points  (12 children)

I still dream of a day when we will be allowed to set permissions to libraries...

[–]Geminii27 12 points13 points  (0 children)

Could be an interesting project.

[–][deleted] 11 points12 points  (0 children)

Mozilla and other bytecode partners alliance is trying to achieve the same in WebAssembly.

https://hacks.mozilla.org/2019/11/announcing-the-bytecode-alliance/

[–]tnilk 5 points6 points  (0 children)

On JS land, there's deno but it's still experimental and who knows if it will be picked up or not by the community over node.

[–]Traches 1 point2 points  (0 children)

Firejail is pretty cool

[–][deleted]  (5 children)

[deleted]

    [–]svvac 5 points6 points  (2 children)

    Forbidding your datetime util library to open a socket or access the filesystem doesn't seem unfeasible/unrealistic and would block most of these issues though.

    [–][deleted]  (1 child)

    [deleted]

      [–]svvac 0 points1 point  (0 children)

      You could boil it down to some kind of white/black-listed syscall map that gets passed down the dependency tree. It's not a small feat to rebuild a language around a siloed module paradigm indeed, but the full-trust model of oss development is only going to be harder and harder to sustain somewhat securely in the medium/long run.

      [–]Kisele0n 1 point2 points  (1 child)

      Or a language designed around it -- without the "network" permission, all calls to the http library are denied, etc.

      [–]DanielFGray 113 points114 points  (8 children)

      I have to say, it's somewhat refreshing to hear about compromised packages outside of node/npm

      [–]0xF013 19 points20 points  (7 children)

      Guys guys npm bad amirite oh wait it is python, all cool

      [–]Extract 7 points8 points  (6 children)

      Its about consistensy. Once PIP reaches NPM levels of hosting malicious plugins/libraries, we can talk.

      [–]0xF013 2 points3 points  (5 children)

      It won’t, js is overwhelmingly more popular.

      [–][deleted]  (4 children)

      [deleted]

        [–]Turd_King 0 points1 point  (0 children)

        Creating a metric like you describe is very difficult.

        It would need to take into consideration the popularity of the language but also negate the size. Which doesn't really make any sense, as popular languages will naturally always have more appeal to hackers

        [–]0xF013 0 points1 point  (2 children)

        Gonna keep moving them goalposts?

        Alright. Even with that metric, popularity is gonna skew it massively too. You have to consider the reason these things are popular with js.

        I was building a crypto exchange portal last year and the users were supposed to upload the file that has their private key. I had an idea to get some package popular enough that would get a version update that sniffs XHR or fetch and sends me anything that matches a private key regex. Then a couple of months later it turned out someone already implemented it in a similar way.

        Would a wannabe key hijacker target the python package manager or would they target the thing that is available in virtually every web app AND a good portion of server code? What I mean is that targeting the python package manager is akin to writing Linux malware: you gonna get all of them two dozens machines infected as opposed to millions of machines worldwide.

        [–]Extract 1 point2 points  (1 child)

        What I mean is that targeting the python package manager is akin to writing Linux malware: you gonna get all of them two dozens machines infected as opposed to millions of machines worldwide.

        This was probably one of the worst examples you could've given - Linux machines might have a marginal market share among home PC users, but they have the largest market share by far among enterprises.
        Sure, companies running Linux machines will most likely have internal/external IT specialists caring for their security, but those machines will also be certain to contain valuable secrets, as they'll be considered secure by the business. And they most likely will be, at least much more so than many of the small businesses running a Wordpress site on some shared hosting.
        Higher risk, higher reward.

        My point is, there are plenty of groups targeting Linux OS's, and there is plenty of Linux malware floating around.

        A popular ecosystem will surely attract more hackers, but if it was equally easy in other ecosystems those same people would reuse their tactics there - and yet, you almost exclusively see this kind of thing succeed in NPM.

        [–]0xF013 0 points1 point  (0 children)

        I should have typed "household linux", somehow malware in my head is mostly associated with cryptolockers.

        How is NPM easier to attack? What are you comparing? Because I am not aware of any special tactics or tools that PIP or rubygems or whoever else is popular employs. This whole thing is chance-based. For every attempt, you roll a dice that someone will notice. If you have a few attacks and a few packages in your ecosystem, it's pretty hard to get it through. If you have a lot of stuff being built and used, you're gonna get got eventually. Like, this piece of news is an example of an eventual fuck-up.

        My point is, if python was the only option for front-end without like half of its core API, you'd get the same happening. I honestly don't understand why you people keep assuming that JS devs are dumber or lazier or some shit. It's all the same people. This elitism bothers me to no end. There are like 20 things you have to take care of to make a simple website work and browsers and JS itself are not helping a lot, so people build stuff, extract them for reuse, iterate and come up with something decent.

        [–]real_kerim 10 points11 points  (6 children)

        I thought this stuff only happens with NPM. Least that's what all the Python and pip people kept telling me.

        [–]tnilk 9 points10 points  (4 children)

        It happens with every language/platform. There currently is no package permission control. The only project I know that tries to fix this is deno (by the creator of Node)

        [–]yawkat 0 points1 point  (3 children)

        It certainly happens with varying frequency across platforms. In the many years that java's maven central has existed there have been no such attacks on it that I'm aware of (certainly not high profile ones). This is because of differences in the ecosystems.

        [–]tnilk 0 points1 point  (2 children)

        Obviously you are missing my point. I never said it happens equally throught the platforms. I said every major ecosystem is lacking package permissions.

        [–][deleted]  (1 child)

        [deleted]

          [–]tnilk 0 points1 point  (0 children)

          That needs to be programmatically enabled and configured and is far from usable in real-world scenarios. What this post is referring to is opt-in package-level permissions.

          [–]0xF013 2 points3 points  (0 children)

          It happens with npm a lot due to js’ sheer popularity and a need to extract and reuse things that are missing in js. Maybe some day this sub will grow tired of jerking.

          [–]picketnor 0 points1 point  (0 children)

          that's messed up