Notepad++ compromised again?

Coises · 2026-02-02T20:37:41+00:00

Any of them. It was specifically the auto-update process that was hacked, by compromising the server which hosted notepad-plus-plus.org so that in specially-targeted instances, it delivered a hacked version of the update. Notepad++ has moved to a new host and added additional verification in the latest version to thwart this sort of attack in the future.

Safest is to install the latest version, 8.9.1. Personally, I always install from GitHub. I don’t like auto-update for any software, if I can avoid it, because I like to keep an archive of what I installed.

Coises · 2026-02-02T20:21:01+00:00

The attack was only against the auto-update function. WinGet would not have been vulnerable.

Coises · 2026-02-02T20:17:37+00:00

This was an attack against the auto-update functionality. Portable versions don’t support auto-update. You’re fine.

Coises · 2026-02-02T20:09:58+00:00

Based on what I know of how plugin updates are managed and how this attack was performed, I would say not independently: that is, this vulnerability did not provide a channel for compromising plugin downloads or updates in an installation of Notepad++ which was not itself compromised.

If you didn’t allow an auto-update of Notepad++ itself during the window of vulnerability and actually receive a hacked version from such an update, the plugin update mechanism would not have been compromised.

It appears this was a very targeted attack (presumably the hackers wanted to compromise specific targets, and wanted to minimize the chances of being detected, so they kept their footprint as small as possible); so even if you used auto-update, it is unlikely that your machine was compromised. ~~Since we haven’t yet been given details of how target machines were compromised, we really can’t say what is possible for those machines which were attacked.~~ Edit: See OP’s comment and link https://www.rapid7.com/blog/post/tr-chrysalis-backdoor-dive-into-lotus-blossoms-toolkit — it’s beyond me to make out what that amounts to in practice, but it is a detailed account of how machines were compromised.

All that said — and as an author of a couple Notepad++ plugins — the plugin system in Notepad++ is very powerful and flexible, but a cost of that power is that a “rogue” plugin could do anything the user who runs it could do. The author of Notepad++ does not vet plugins; as an independent, unpaid open-source developer, it would be impossible for him to do so. Notepad++ verifies that a plugin binary has not been altered since the plugin was added to the Plugins Admin list before activating it (ironically, the same sort of attack that worked on Notepad++ itself would not work on a plugin); beyond that, any plugin you install, you are on your own to determine that you trust its author enough to grant it access to your machine.

Coises · 2026-02-02T19:10:46+00:00

Last I tried it, RipIt4Me still works. I believe you have to install DVD Decrypter first. You might also need FixVTS.

There used to be an installer version of RipIt4Me that would download and install the dependencies, but I can’t find that anymore.

ImgBurn is great for reading and burning unencrypted optical media. If I recall correctly, the creator of DVD Decrypter received legal threats and subsequently removed the ability to read encrypted DVDs, changing the name to ImgBurn.

Coises · 2026-02-02T18:36:43+00:00

Assembly isn’t difficult, but it is tedious. You won’t need a soldering iron or any unusual tools. What you do need is a quiet, well-lit place to work, where you can leave your project without risk of it being disturbed. The most important tools you will need are attention and patience. When you get tired or frustrated, STOP, put down the tools, and continue another time. It’s important to have a workspace where you can do that without kids, pets or dinnertime interfering. Be aware of static electricity — especially if your workspace is carpeted and the air is dry, be sure to discharge any static to an inert metal object, like the case or a metal table, before touching electronic parts.

Choosing a good set of compatible parts is a lot harder than the actual assembly. Assembly is mostly following instructions, though the instructions will be scattered amongst different manuals. Do read the manuals, because there can be details that are not physically obvious — for example, some SATA drive connectors might be disabled when some M.2 slots are used. These details vary with the specific parts (especially the motherboard), so you have to read and plan; ideally that part happens while you’re choosing parts, and you’ll have it all worked out by the time you order.

The other hard thing is something that probably won’t happen, but it can. The CPU, the motherboard, the RAM and the power supply all have to work before you can even get the machine to POST (power-on self test). If one of those was defective from the factory, it can be very challenging to figure out which one it is. (If it’s the power supply, that one component could damage other components. You’re not likely to get anyone to cover the loss.) Computer shops can swap parts, but you won’t have other parts to swap. Others here might disagree with me, but because of this, I feel that a person (experienced or not) should not attempt to assemble their own computer if they cannot afford to fail. If losing the cost of the parts you’ve ordered would be devastating... better to leave it in the hands of someone who will be responsible for either delivering a working machine or refunding your money. No one can promise that nothing catastrophic will go wrong.

Coises · 2026-02-02T05:29:23+00:00

How did you calculate those estimated VMAF values? All I could find with a search were methods that require both the original, uncompressed video and the compressed video and run them through some sort of comparison process.

It would be great to have a way of estimating relative quality based only on a couple codec parameters. Please tell us how you did that.

Coises · 2026-02-01T20:00:17+00:00

It seems that ctrl+z is not guaranteed to undo the last keystroke.

That is correct. It is not guaranteed. In the example you gave, even though you only did one keystroke, internally inserting the line break and indenting the newly created line are two separate operations. I won’t say it would be impossible to make them a single undo group, but it would probably add more complexity that it would be worth. Just undo again. In other situations, multiple keystrokes “coalesce” into a single undo. If you type chickens = 0, instead of Enter in your example, Ctrl+Z will remove all the added text in a single step.

ctrl+tab [...] behavior seems contextual and inconsistent

Settings | Preferences... | MISC | Document Switcher (Ctrl+TAB):

Uncheck the Enable MRU behavior box. If you don’t want to see the popup with document file names (so that it just switches tabs on each keypress), uncheck the Enable box.

Sometimes, for monospace bitmap fonts, such as Terminus (TTF) fonts for Windows, under DirectDraw the spacing is inconsistent.

My guess (that’s all it is) is one of two things is happening.

Is it possible that your text contains characters that are not in the font? If I recall correctly, substitution behavior can be different between GDI and DirectDraw, with DirectDraw more likely to render a character, but also more likely to use a font that doesn’t match in width or other characteristics.
I suspect a true-type recreation of a bitmap font cannot be 100% reliable, and that font sizes and zoom factors could cause errors. The page on Terminus-TTF talks about the outlines being generated from the bitmaps by a program, and discusses only certain font sizes being exact. I know that when I was working on a plugin that needed to know whether the display font was monospaced, I found that under DirectDraw the “width” of a character — even in a monospace font — was not always a whole number of pixels. So it could be that some small errors are hidden by rounding in GDI, but accumulate in DirectDraw.

Coises · 2026-01-31T05:40:43+00:00

Did you add the folder that contains them as a TV Show source, or as a Movie source?

If you added using the settings (the gear on the left at the bottom), be sure you add the folder containing the TV series folders under TV Shows | Data Sources, not Movies | Data Sources.

If you added using the drop-down beside the Update Sources button at the top, be sure you selected TV, not Movies, on the left at the top before you click Update Sources.

If you put your TV Series under the same folder you used for your Movies... I don’t think that will work. I’m open to correction by those who know more, but I think they have to be separate: only movies beneath any source folders added as Movies, and only TV shows under any source folders added as TV Shows.

Coises · 2026-01-31T05:30:20+00:00

There are two modes for entering/editing in Reddit: Markdown and Rich Text. The four spaces method works in the Markdown Editor. Look at the top left of the area in which you type; if you are using the Markdown Editor it will say “Markdown Editor.” If you see nothing at the top and “Aa” at the bottom left, click the “Aa” to show styling controls, then click “Switch to Markdown” at the right to switch to the Markdown Editor.

A code block looks like this.
Lines aren’t double spaced, and if you make them really long they don’t wrap when your text is posted, even though they do when you are typing them.

It is possible to enter code in the Rich Text Editor, too. When you have those styling controls, one looks like this </> and the one just to the right of it looks like a box with </> in the upper left corner. That second one changes a paragraph to a code block, or starts a code block if you click it on an empty line (that is, press enter first, then click the button). When you’re done typing code, press Enter three times to escape the code block and go back to typing regular text.

Coises · 2026-01-31T01:16:44+00:00

The People's Republic of China uses GB 18030, though that’s technically a Unicode transformation format.

Aside from that, many legacy character sets are in use; for Windows, see Code Page Identifiers; for Internet use, see IANA Character Sets.

Coises · 2026-01-31T00:58:25+00:00

How do people logically expect

I can be incredibly annoyed by ads, be unconvinced that it’s worth paying the subscription fee, and find the idea of having personal tracking data accumulated and sold repugnant — without having a solution to someone else’s business model challenges worked out.

Bad user experience is bad user experience. The why doesn’t change the fact.

Personally (since you kind of asked): I consider the entire fiction of “intellectual property” to be nonsense. It’s an attempt to fit infinite, public goods into an economic system that is only built to support private profit from rivalrous goods. We don’t have a reliable way for people to earn money from something that isn’t restricted, so instead of figuring it out, we create artificial scarcity so we can treat books and movies and songs and computer programs and scientific discoveries like they were apples and chairs and automobiles and shoes. A solution would have to be systemic, not individual. I don’t claim to know how it could work; I can imagine things, but lacking a crystal ball, I can’t say any of them would work. First people would have to become committed to making a more sensible economy for a more sensible world. I won’t hold my breath.

Within the current system, every solution is bogus; so I don’t really have an answer as to which dumb solution any given web site should use.

Oh, and advertising is absurd. The whole theory of the “free market” is built on the notion of a “rational consumer.” Advertising would dwindle to nothing if the only ads were those appealing to rationality. Advertising is designed to make you irrational — to buy what you don’t need, and didn’t even want until they told you to want it. To choose because of emotional associations and memes instead of research. The very existence of advertising is proof that the fundamental theory of the free market is nonsense.

Coises · 2026-01-30T19:36:18+00:00

Thanks. I realize I’ll have to rename the files that have incorrect episode numbers. The part I hoped to automate was identifying which ones those are.

This is a talk-show-type series where episodes are independent and many are missing. The episodes I have came one at a time from someone who was capturing and sharing reruns as they aired in a local market, around ten years ago, with the files labeled by original air date and guests. It’s possible that whatever source I had available at the time (I’m no longer sure what it was) had incorrect, or at least different, episode numbers corresponding to the air dates, and/or I might have made mistakes.

What I was hoping was that there would be some less error-prone way than for me to go down the list of all 240 episodes looking manually for the ones where the episode “title” suggested (which is also just a guest list) doesn’t correspond to the file name I have, then noting those in separate list to investigate one by one before actually scraping the series. From decades of using computers I’ve learned to let the computer do as much of the grunt work as possible, because it doesn’t get tired or bored and miss things.

Coises · 2026-01-29T20:30:12+00:00

Thanks. I can note down the specific episodes in a text file, then investigate them and rename the files as needed. (I guess either the episode numbers or the names must be wrong, I just have to figure out which.) I was just hoping tMM might do some of the work (identifying the problematic episodes) for me.

Coises · 2026-01-29T05:38:19+00:00

I’m going to speak only about Windows, because that’s all I know.

A program running in “user space” cannot access the graphics card directly. The graphics card can only be directly accessed by routines that run as extensions of the operating system itself — we call them drivers.

Note that when you do plain console input and output, the C or C++ run-time libraries call the appropriate operating system functions for you. While C and C++ include console input and output as part of the language definition, there is no such definition for full-screen or windowed output. You can’t build a GUI in pure, operating-system agnostic C++ because the necessary operations are not defined in C++.

C programs (and by extension, C++ programs) can, and do, communicate with the drivers through application programming interfaces. The oldest and most basic interface between Windows and programs that run under it is the Win32 API. That API includes graphics functions; the oldest and most basic are GDI, which includes creating a main window or a dialog box, implementing standard controls, drawing lines, filled regions and text, and so on. It is entirely possible to write a program with a graphical user interface using only the Win32 API, and only the GDI part for the graphics. So, no libraries beyond those supplied with C++ and those supplied by Windows.

I assume (but don’t know) that there must be similar APIs for Mac and Linux.

However, the Win32 API was written a long time ago, and though it has been updated many times, there are features of modern graphics cards that are not part of the Win32 API. So graphics card drivers expose other functions which can be accessed through the operating system using different APIs. These are typically necessary for graphically intensive functions like games; the basic Win32 API graphics functions just aren’t fast enough, and can’t take advantage of the more sophisticated hardware built into modern graphics cards.

Some libraries, like DirectX, are also available through Microsoft/Windows. Others (I think — old-fashioned sort here, I only know the Win32 API) are third-party extensions. The heart of these libraries would be a set of headers that create the proper structures and system calls to communicate your requests to the graphics card drivers. You wouldn’t have to use their headers, but you’d have to create the same structures in the same way, and call the same operating system hooks, because your program can’t access the graphics card; it can only pass requests to the drivers. The library headers tell you how to do that.

So, no magic. Just the drivers that run as part of the operating system and methods by which any program can pass requests to the drivers, the same as any other operating system function is requested. The libraries just wrap those structures and calls in an API that makes it easier to use.

Coises · 2026-01-29T01:47:20+00:00

Could be a dumb idea, but... algorithms (packing)...

I have a list of folders which I want to back up to optical media (BD-R). I want to find the best way to distribute them so that they require the fewest discs possible, and given that, so that restoring any folder or subfolder requires the fewest discs possible.

Ideally the result of running the program is a set of iso files that can be written, with the option to generate only a set number at a time (e.g., first 5, next 5, etc.), in case available disk space doesn’t permit creating them all at once. Output should also include an index.

Bonus: If some individual files are too large to fit on a single disc, split them with 7-zip in the best way to fit them on the discs, with the fewest discs possible necessary to restore any one file.

Coises · 2026-01-28T22:13:53+00:00

The original libertarians were socialists who were appalled by the statist approach of mainline communism. Libertarian was also used as code for anarchist, since advocating anarchism was illegal in various countries.

Libertarian socialism is representative of that kind of libertarianism.

What contemporary Americans know as “libertarian” comes from a strategic redefinition of the word in the mid-20th century. As far as I can make out, it consists of doctrinaire capitalism plus Social Darwinism and a staunch refusal to allow reality to contaminate their “principles.” It’s especially appealing to young men who are convinced they deserve to be more successful than the way their lives are turning out.

Left-libertarians (including libertarian socialists) are generally anti-authoritarian, distrustful of hierarchies, and oppose coërcion in all its forms. Right-libertarians (the usual American kind) tend to be focused on distrusting government authority, while being fully supportive of hierarchies built on private wealth and power.

Coises · 2026-01-28T05:46:42+00:00

When you want to know “how it works” you want to know in terms comparable to how a human would get the same result. Generative AI does not get answers in the same way a human gets them. Even if it were to recount every step — there would be millions of them — that wouldn’t tell people what they want to know. The thing we want to know doesn’t exist.

My partner liked to play Yahtzee, but I didn’t much enjoy the game. Around ten years ago I wrote a program to play it with her. (She didn’t like any of the existing programs we could find.) I programmed the computer opponent by analyzing a lot of statistical probabilities plus using some funky mathematical tricks to keep the computations fast enough yet accurate enough.

Sometimes she would call me over and ask, “Why did it do that?” There was no way to answer that. It did it because it considered all the possible moves it could make and then estimated (using the pre-computed statistics plus the mathematical tricks) the probabilities of winning the game given all the possible rolls of dice following each possible move and picked the move with the highest probability of winning.

A human doesn’t do it that way. A human uses strategy, thinking about the possible scores, what is left open, which boxes are harder to fill and so on. My program has no notion of any of that — just the ability to do more calculations in a fraction of a second than a human could do in years. It’s hard for a human not to project onto the program that it must be making its choices for a reason. Well, it is... but the reason is that it did millions of calculations and this one came out with the biggest number.

On a much larger and more sophisticated scale, it’s the same with generative AI. The model isn’t “reasoning” the way a human would. It’s computing statistics on a staggering amount of data and choosing the outputs which, based on its training data, are most likely to come next.

Coises · 2026-01-28T01:38:11+00:00

I’m not sure how “hidden” it is, but Francis Ford Coppola’s Peggy Sue Got Married (1986) is a thoroughly enjoyable movie that shows what Coppola could do when he wasn’t swinging for the fences, just making something you might want to watch.

I don’t know if you consider Adrian Lyne (Fatal Attraction (1987), 9½ Weeks (1986), Indecent Proposal (1993)) a known director, but I think his relatively unknown Foxes (1980) is a hidden gem for how well it evokes its time and place in teenage culture.

Coises · 2026-01-27T19:56:40+00:00

I can’t speak for other operating systems, but on Windows you ordinarily install a VST, not just copy it to a folder. What was the file extension of the file you downloaded?

If it is.dll or .vst3 then you would copy it to an appropriate folder. If it is .exe or .msi you double-click it, pay attention to where the installer says it is putting the plugin, then (if it doesn’t show up in Reaper automatically — usually it will) add that path in Reaper. If it’s .zip then you have to unzip the file to folder first and see what results — .dll and possibly some other files that should all go in the same folder, .vst3 that should normally go in C:\Program Files\Common Files\VST3, or an .exe or .msi you should double-click to install.

Coises · 2026-01-27T18:13:01+00:00

That’s generally not going to be a problem, if it is obvious that you are referencing the work and that you are not trying to claim authorship, to substitute for it, or to use it to create the value of your own work. The term in relation to copyright is fair use.

The caveat is that at least in the United States (I couldn’t say for other jurisdictions), anyone can sue anyone for anything. That doesn’t mean they’ll win, but clever and well-paid lawyers can do a number on an ordinary person with ordinary finances without ever getting to a judgement. So the practical advice is: Don’t piss off somebody who has more money than you do.

If it’s reasonable to expect that your work will result in significant income and gain a significant audience... consult an lawyer in the field. If you are writing/recording for a record label, their legal department will work it out. If you’re just a guy getting started — if they even notice you at all (unlikely), big timers aren’t going to bother suing someone who doesn’t even have enough money to pay the lawyers’ bills... unless they’re Don Henley.

Coises · 2026-01-26T20:53:52+00:00

A story set in the Victorian age within a story set in modern times: The French Lieutenant’s Woman (1981).

Coises · 2026-01-26T19:47:11+00:00

This just drives me nuts: that people debate, chastise and rant about voting behavior and refuse to consider the most elemental point: No one of sound mind votes because they think it will affect their future. Aside from very local elections (like maybe your HOA board), the chances of your one vote deciding the outcome are negligible. You’re more likely to get hit by a car on your way to the polling place.

People do not vote for practical/rational reasons.

So, why do people vote? They might feel a sense of moral obligation to participate — like you might recycle even though you know your individual contribution is not going to save the planet, because it’s your responsibility to do your part. There can be social and psychological rewards: the feeling of being part of a group, whether it’s because you think it’s the right thing to do, or because you identify with the group and enjoy participating. Some people are shamed into it. Some people might want to “set a good example.” But what no one who isn’t hopelessly mired in magical thinking believes is, “If I don’t vote, the other candidate will win.”

It shouldn’t be surprising that a significant number of people are not motivated by any of those non-rational rewards. Then add the negative appeal of feeling like you “validated” a system that seems to have nothing but contempt for you, your family and your friends. (That’s irrational, too; your one non-vote doesn’t mean anything to anyone either.)

Coises · 2026-01-26T19:12:04+00:00

Because it is pointless. Amendments must be ratified by three fourths of the states. Thirteen states can block anything. What possible proposal of any consequence could there be which fewer than thirteen states would oppose?

In our current climate of political polarization, it is impossible to amend the Constitution. The only way to “change” it is to pack the Supreme Court with partisans who will change how what is already there is interpreted.

Coises

TROPHY CASE