The Vulnerability We Deserve

This article is already old news for me and largely irrelevant as i don’t use much in the way of rando js modules, random packages, etc. However the subject is interesting due to the conversations that has spawned:

As always, the hell is in the comments from these posts but mostly this boils down to a couple of things for me:

  1. In the mad rush to develop details get drowned in the mad flow of dependencies, libraries, etc. etc. etc. that get imported in willy-nilly to provide functionality without remaking the wheel.

  2. The superficial incentives to write and release millions of tiny modules and libraries result in heavy obfuscation of core beliefs in what software should be.

And this is where I get slightly Stallman-esque.

The code, in this case, was in the minified version and therefore, for practical purposes, unreadable for most. And while minified code serves a purpose when used on the web (i.e. small files, quick speeds, etc.) it is something that can’t be read or studied easily. This goes double for the user of a website where they are greeted by and have already used the software in question before they have the chance to read it.

But blah blah blah–that’s a whole separate topic.

Sticking mostly to the hell-world that’s node and NPM I ran quick test where I installed express to see what would happen. the result cranked out the following:

+ express@4.16.4
added 48 packages from 36 contributors and audited 121 packages in 2.97s
found 0 vulnerabilities

Mind you, I am not disparaging express it was simply the first example that came to mind.

However, within the modules folder there are now 48 folders each with their own code, etc. - dependencies with dependencies with dependencies and each with their own points of failure and possibilities for corruption.

Add to this the devil may care attitude of open source developers who release their projects into the hands of whomever they want. This creates the (obviously very real) possibility of the new maintainers then putting malicious code into the package on the next version update and there’s a huge potential for problems. And this is why the “open source developers don’t owe you anything” argument falls flat. They might not owe users anything in terms of direction and development of their program, but they do owe them the ability to trust in the last release of their signed product.

This, of course, is another issue entirely. The glut of projects on GitHub, etc. that are desperate for new maintainers is astounding and is a topic for important future action.

Barring actual responsibility from developers, the first solution, I imagine, would then be proper due diligence on those who are importing libraries like gangbusters. They have the duty to make sure their code is as harmless as possible and therefore must accept the risks and responsibilities of managing third party libraries.

That is a bit extreme though. One cannot simply inspect all the libraries and excess code that is contained therein so what then?

Perhaps a rethinking of the entire NPM styled system. To be frank, it’s nonsense and very close to a vanity measuring contest with its bragging of how many packages are available and such. The result of which is the glorification of package production and the increased chances of abuse by those who know that the flawed model has become a place of misplaced trust by developers. (see here for an well reasoned article on the issue along with a call for the creation of a Standard Library)

There must be the ability to read the code and understand it and code that’s dependent on more code needs to find a way of incorporating that code in a manner that allows it some control over it so that bad things can’t be slipped into it.

Freedom is necessary, free software is necessary and both should do no harm.

10 Print

got nostalgic for the commodore 64 and wrote a javascript/html variation of 10 Print.

it can be found on my github here

while the original code is this:

10 PRINT CHR$(205.5+RND(1)); : GOTO 1

the javascript version is also one line but demanded some css, etc to make it look decent in the browser. also, microsoft edge kills it completely. both of these things bother me but i’m not sure why. maybe the simplicity of the console versus the formatting hell that is the window? longing for a simpler age? getting crushed by nostalgia for something that never truly existed?

regardless, i made a thing. huzzah.

observations

  • a computer is a tool, not a way of life.
  • operating systems are technology’s corn mothers.
  • platform lock-in is equal to being under arrest - you aren’t free to leave.
  • (borrowed) the cloud is just another person’s computer
  • silos are for grain not data
  • the desktop website and mobile site are mirrors of the record album and cd.

Command< | >Line

i find a hypnotic peacefulness in the blinking of a cursor.

which, i believe, is why my mind draws a blank when it comes time to put something down in the old text processor.

and so much
    can be
  said about formatting  
        when it's hypnotic
  and graciously absent
            of graphics
                                      |

but even now, i resumed writing this (from the above)

because i’m in awe of the fact that we, contemporary people, settle in to no permanent home online. but instead choose to scatter versions of ourselves around indiscriminately.

business here, sexy there, raving lunatic there, etc.

and the vision is that of each of us being a sower–scattering the seeds of our identities about so that no cohesive person can emerge.

Running of the Bots

At the moment I only have two bots on Twitter.

  • All Proper Names
  • Sentimental Trump

The first is a listing of all possible combinations of names from popular name lists found on the internet and the second is a analyses the sentiment of each of Donald Trump’s tweets.

At the moment they both seem relatively useless but at 3am last night they seemed like brilliant ideas.

This is how these things go.

What I find interesting about bots is their sheer uselessness altogether. Yes, bots that alert people to danger, etc. are useful but only to the degree that they don’t get drowned out by other bots.

I imagine the scene to look a lot like a bombing run where the people on a mission are having to navigate through heavy flak.

But the signal/noise commentary is very overdone so I’ll stop.

Although I toss around the word “useless” (7 points in scrabble barring being on any of the fancy squares) I appreciate the useless far more than the useful.

Useless is interesting. It’s the stuff that leads to great thoughts and art. It’s the unexpected glitch and long sought for ‘accident’.

Useful is banal. It’s the facebooks of the world that end up being just a daily drone of people’s eating habits. Showering us with an existential angst that says “you, little person, are nothing”.

I plan on tarrying in the useless for the time being.

expect more.


UPDATE: 7-12-18

The bots are and have been down for some time. Bots, by and large, are boring stuff.