You are reading content from Scuttlebutt
@bundy

“I don't know what to say” – Backdoor in popular event-stream NPM repo

Just saw on Hacker News that the event-stream package may have a backdoor. Is this used in any SSB modules, and/or has this been discussed elsewhere on SSB? It's frustrating to see so much heat pointed at Dominic here, especially when it's obviously not a one-off attack.

@Mikael Brockman's laptop
Voted this
@Mikael Brockman's laptop

I feel a bit more paranoid lately. Maybe I'm not taking the right vitamin supplements. A character in a Pynchon novel said "paranoia is the garlic in life's kitchen, you can never have too much."

It does seem kind of unwise for businesses to trust "automatic updates" from a wide variety of unknown sources. Seems like businesses need to decide who they want to trust, and update their dependencies when that source tells them to. If they choose to trust "the npm community" then they take on a lot of risk.

My anthropologist friend shakes her head when people use "community" in a vague sense. "What community, exactly?" she wonders.

@bundy

@Mikael Brockman's laptop

I wonder whether we'll eventually see permissions for Node modules, where filesystem and network access would be rare. Unfortunately, right now we have thousands and thousands of packages with no restrictions, and exfiltrating data is just as easy as rm -rfing all the things.

The only upside is that [as long as you're using a lockfile] I think you're immune to deep dependency updates, but the long and the short of it is that downloading arbitrary software from the internet isn't any more secure just because you downloaded it with npm install.

@mmckegg

@Christian Bundy

I wonder whether we'll eventually see permissions for Node modules, where filesystem and network access would be rare.

I believe this is one of the premises behind ryan dahl's new serverside js project: deno

@bundy

@matt

What's your read on TypeScript? I've used it before and don't have any problems with the syntax, but I'm kind of hesitant to jump ship from JavaScript to a project I believe is maintained by Microsoft. Are my worries misplaced?

@bundy
Voted this
@mmckegg

@Christian Bundy

I have not yet used it on any projects, but after my experiences in rust, I am quite keen to give it a try.

As for Microsoft's involvement: I trust them more than Facebook and react :grinning: My take is that if we can get some good open source software sponsored out of these massive companies, then that is a good thing.

@bundy
Voted this
@Jacob (desktop)
Voted this
@ev

What's your read on TypeScript? I've used it before and don't have any problems with the syntax, but I'm kind of hesitant to jump ship from JavaScript to a project I believe is maintained by Microsoft. Are my worries misplaced? - @Christian Bundy

V8 is maintained by Google, so the same is true with Node.

But yes, Deno aims to solve the above problem, and a number of other problems such as getting rid of npm.


I find it hard not to disagree with the comments saying that Dominic could have done more to mitigate this situation. He also has indicated that he knows how to fix a known exploit in secure-scuttlebutt, but has so far been unwilling to fix the issue.

Can people who are not blocked by Dominic reach out to him and explain that it is his moral responsibility to fix this exploit before it is used to do harm to this network?

Let me apologize in advance for the flame war that is about to be directed at me for bringing this up again.

My fear is the next time we're on HN, it's because someone has posted abusive content here, and there's no way for us to delete it from our local machines and pubs.

I also wrote about this here: %MEE6w3S...

I wish I could fix this myself, but no matter how long I stare at the Flume DB code, I still don't get it. The only person I know on this network who understands Flume is the man who created it, Dominic Tarr.

If anyone else can fix this, and let Dominic off the hook, by all means fix it.

@ev

Dominic is wrong. If there's no authority, then there's nobody taking responsibility. This is a perfect example of how lack of organizational structure simply does not work in the real world. Dominic's other projects like scuttlebutt are likely doomed to fail as well because of his wrongheaded views about organization. - https://news.ycombinator.com/item?id=18535100

I don't want this guy to be right.

@kawaiipunk
Voted this
@romuloalves
Voted this
@mikey
Voted this
@mikey

oh no the comments, so much open source consumerism: entitlement towards the productive labor of volunteers, no responsibility for those who take, all the responsibility for those who give, no reward if contributions go well, all the blame if things go bad.

cheers to you @dominic, sorry you're getting a heap of flak at the moment :heart:

@dan hassan android
Voted this
@bundy
Voted this
@Dominic

@dinosaur I am getting some flak, but I'm also getting a lot of support from friends and others who see that too much is expected of maintainers.
I'm glad that this incident is bringing awareness to the absurd responsibility that module maintainers bear.

I havn't written anything that depends on event-stream in years. It was literally the first stream module that I wrote, 7 years ago. I've moved on significantly since then. Switching to pull-streams before I started secure-scuttlebutt. That's one of the major problems here, I was left with the keys to maintain something that I no longer used: I have no skin in the game. Expecting me to maintain this makes no sense.

nothing in scuttlebutt depends on event-stream!

@Dominic

btw, also my statement on this for the internet: https://gist.github.com/dominictarr/9fd9c1024c94592bc7268d36b8d83b3a

@bobhaugen

Will be really excellent if this incident prompts some general recognition of the political-cultural-social-economic problem of maintaining open source software. Will need to happen. Best if it starts now.

@dinosaur where's that Open Source Programmers Unite! thing you wrote when I need it...

@andrestaltz

Ouch, second frontpage HN article about this: https://news.ycombinator.com/item?id=18537583

I've been busy publicly defending Dominic out there on Twitter, but it's a bit scary (HN and its invisible tentacles always is scary or exciting or both) that at this point the entire programming community that sometimes follows news will know about this.

@moid

Well some folks seem to get it.

As a user of something open source you are not thereby entitled to anything at all. You are not entitled to contribute. You are not entitled to features. You are not entitled to the attention of others. You are not entitled to having value attached to your complaints. You are not entitled to this explanation.

@neftaly

It's gonna be really hard to contribute to semi-abandoned packages from here on out.

Funnily enough XhmikosR (the first complainant in the GH thread) has write access to some of my repos on exactly the same arrangement.

@Daan

@andrestaltz I'm sure some of that will be scary, but I'm sure some will also get there's a systemic problem here.

not being a JS dev, and having very recently been burned by the supposed simplicity of JS and its ecosystem, I'm tempted to say this is a language specific problem. In any case, it's good to see attention being directed to a problem that affects probably literally billions of devices. Nevermind the haters on github and HN...

@neftaly

I think it's an eternal september problem more than anything, though it's funny how NPM always seems to end up being involved with every incident.

@davidbgk

Keep up @Dominic :muscle:

@mikey

@dinosaur where's that Open Source Programmers Unite! thing you wrote when I need it...

@bobhaugen: https://blog.dinosaur.is/workers-of-open-source-unite/

User has chosen not to be hosted publicly
@Fabián Heredia Montiel
Voted this
User has chosen not to be hosted publicly
User has chosen not to be hosted publicly
User has chosen not to be hosted publicly
User has chosen not to be hosted publicly
@cryptixInTheCloud

I‘m glad to see much saner responses to https://gist.github.com/dominictarr/9fd9c1024c94592bc7268d36b8d83b3a than on the GH issue.

I’m still baffled by all the „but there are too many submodules to vet them“ argument. How can you go from „I recognized this problem“ to YOLO and then find some one else to blame when your shit catches fire?

@lancew
Voted this
@lancew

@Dominic Kia Kaha!

Sounds like you have found yourself in the middle of a storm not of your creating.

It also sounds like people the people I respect are supporting you.

Security is hard, this reads like a planned, intelligent attack... so very hard to defend against... especially on zero time/money budget.

@Dominic

Thanks everyone. I've gotten generally supportive messages from many people who are actual open source developers, they understand how it! everyone else, well I think they'll figure it out eventually. I have been quite successful at ignoring them it seems (I havn't looked at hackernews, and wouldn't recommend that in general ;)

@neftaly I remember the good old days when "because there is already a module for everything" wasn't the reason to use node. That was a long time ago now.

@bundy
Voted this
@bundy
Voted this
@bundy
Voted this
@Anders
Voted this
@Anders
Voted this
@Dan Hassan
Voted this
@lzlr

This is a perfect example of how lack of organizational structure simply does not work in the real world.

This is an example case where organizational structures can be overcome in the real world. We should think about how to solve this problem.

FTFY

@ev

This is an example case where organizational structures can be overcome in the real world. We should think about how to solve this problem. - @lzlr

Would you be willing to elaborate on this? I'm not sure I quite get what you're saying yet. Fork the thread if necessary, since this thread seems to be focused on the hn article.

@ev
Re: %I6FaCzdXc

@ev you must have really pissed people off to have everyone block you like that. None of my business really, but you may want to change your game plan a bit, "plays well with others" is one of those sandbox skills you need to have to get by. Just sayin....

peace on earth good will towards bears - @moid

@moid I know why many of these people are blocking me: It's because I came of age in Bloomberg-era New York where the subway system was constantly telling me: "If you see something, say something." I have to balance that with growing up in (and returning to) Chicago where the saying goes: "Snitches get stitches."

As for sandbox skills: I've never wanted to play in a sandbox with children who are intolerant of other children who are different -- or have different opinions -- than the other children. So between New York and Chicago, I'll continue to advocate for inclusive (and secure) sandboxes for us to play in.

I've been bending over backwards not to accuse anyone of doing this on purpose, as there's no reason to believe that right now. But, if we're using (or have used) insecure-scuttlebutt I'm not going to shut up about it.

@ev just open an issue in GH, especially if you have a reproducible test case and/or can point to the relevant code. Someone will see it there - @moid

After the event-stream debacle, I'm not quite sure if opening a Github issue in full public view of the entire development community is the most responsible way to handle this security vulnerability. But if people who are not kicked out of the ssbc want to bring this up on Github, then they should.

Join Scuttlebutt now