Diseased Open Source Software Community - it's about ethics in Code of Conducts

  • 🐕 I am attempting to get the site runnning as fast as possible. If you are experiencing slow page load times, please report it.
(gonna be a bit redundant because I already wrote up some stuff)
Brandon Nozaki Miller added a poorly obfuscated script to recursively overwrite all files on the system with a heart emoji if it gets a Russian or Belarus IP from some API.

Not only is this unethical and criminal, GeoIP information is totally unreliable. For example the GeoIP information of KFcc is wrong and reports a different country than where the servers actually exist. It appears based on opened issues that this is affecting Chinese users, probably because GeoIP information is not reliable. Maybe people just have servers in Russia or Belarus. What a fucking retard.

As part of damage control he keeps telling everyone "oh it was just this 'peace-not-war' thing it doesn't really do anything bad". But he doesn't address the fact he added his own little script that actually overwrite files.

Don't get confused, these are two different actions. Someone took the time to de-obfuscate and comment on the more malicious code he added: https://gist.github.com/ckcr4lyf/6d96c2bf42ec31c6362053ea275d80d5 (https://archive.ph/GPJeG )

1647497754100.png

Downstream VueJS issue: https://github.com/vuejs/vue-cli/issues/7054 (https://archive.ph/7qJ3t)
Malicious Code: https://github.com/RIAEvangelist/no...08352038b2204f0e7633449580/dao/ssl-geospec.js (https://archive.ph/n8oBX)

Just a sample of all the fun issues at https://github.com/RIAEvangelist/node-ipc/issues
1647497845600.png

3bea5eaca5420d4b62025fd38cc0ccaa220718b0.jpg

Westoid News (doesn't mention the deletion script): https://www.itnews.com.au/news/prot...ependency-labelled-supply-chain-attack-577488 (https://archive.ph/PCzJ4 )
Chinese Discussion: https://www.zhihu.com/question/522144107 (https://archive.ph/jeNML )

https://twitter.com/electricCowboyR (https://archive.ph/CFqJL)
https://twitter.com/electricCowboyR/status/1503828635601448960 (https://archive.ph/HSJNe)
https://hackaday.io/RIAEvangelist (https://archive.ph/p7I8l)
https://imgur.com/user/BrandonNozakiMiller (https://archive.ph/fGpVH)
https://stackoverflow.com/users/1150771/brandon-nozaki-miller (https://archive.ph/rLQhK)
https://www.behance.net/RIAEvangelist/info (https://archive.ph/SS2zM)
https://www.buzzfeed.com/RIAEvangelist (https://archive.ph/fhj4F)
https://www.facebook.com/RIAEvangelist (https://archive.ph/ySOaD)
https://www.facebook.com/RIAEvangelist/about (https://archive.ph/ulyzs)
https://www.facebook.com/RIAEvangelist/friends (https://archive.ph/U1Txm)
https://www.youtube.com/brandonnozakimiller (https://archive.ph/fOaTN )
https://www.linkedin.com/in/electriccowboy/ (unarchivable)
https://www.patreon.com/BrandonNozakiMiller/creators (https://archive.ph/5lNjL )
https://www.quora.com/profile/Brandon-Nozaki-Miller (https://archive.ph/zvGeA)
https://www.reddit.com/user/RIAEvangelist (https://archive.ph/R3sGi)
https://www.similarplay.com/diginowit/ppihc_pikes_peak_race/apps/com.brandondiginow.it.pikespeak2014 (https://archive.ph/knUNB)
https://www.indiegogo.com/individuals/19433827/campaigns (https://archive.ph/ocEnG)
https://www.indiegogo.com/projects/diginow-supercharger-v2-5-mass-production#/ (https://archive.ph/OSDNJ)
https://www.indiegogo.com/projects/nissan-leaf-tesla-faster-level-2#/ (https://archive.ph/fyDdM)
https://www.instagram.com/electriccowboyracing/ (https://archive.ph/qCsWw)
https://bugs.chromium.org/p/chromium/issues/detail?id=431795 (https://archive.ph/ja0wb)

This private information is unavailable to guests due to policies enforced by third-parties.
 
Last edited:
  • Informative
  • Like
  • Semper Fidelis
Reactions: Unintelligence Score, The Ultimate Ramotith, Canebrake and 75 others
@CrunkLord420
Brandon Nozaki Miller added a poorly obfuscated script to recursively overwrite all files on the system with a heart emoji if it gets a Russian or Belarus IP from some API.
Click to expand...
What was this malicious code put in? Was it some no-name thing or was it big? I don't know webshit.
I can't even begin to process how this guy thought this was a good idea. I hope he likes his permanently tanked reputation. No matter how Approved (tm) his opinions are, nobody is going to want a retarded that only hurts himself.
 
  • Agree
  • Like
Reactions: Marvin and Knight of the Rope
Account said:
@CrunkLord420

What was this malicious code put in? Was it some no-name thing or was it big? I don't know webshit.
I can't even begin to process how this guy thought this was a good idea. I hope he likes his permanently tanked reputation. No matter how Approved (tm) his opinions are, nobody is going to want a retarded that only hurts himself.
Click to expand...
It's a popular addon for an extremely popular web framework. This could have potentially screwed over a lot of people but I don't think we know the extent of the damage right now.

You can read his metrics here: https://www.npmjs.com/package/node-ipc
Over 1 million weekly downloads, which means (conservatively) he's serving at least that many people, if his only downloads are people updating on a weekly basis.
 
  • Lunacy
  • Informative
Reactions: dumb idiot, Celebrate Nite and Marvin
THEY STOLE MY FORESKIN said:
A Debian developer decided to quit after over 20 years of involvement because he was constantly being demoted and accused of wrong-doing and plan on joining Arch. He also commented that the "political" side of Debian is creating a very toxic atmosphere and he was frequently bullied. It began with another developer, Martina Ferrari, accusing him of being a sexist jerk and things must have snowballed from there. He said he will release more info, including names of those involved, and reveal DMs and mailing list discussions on his blog in the future, so keep an eye out.
Click to expand...
I wonder if this is why a bunch of tech media suddenly started running stories about Daniel Pocock, one of the arch-evil monsters Debian unpersoned for "harassment" a few years back. They're probably going for the guilt by association angle, to create the perception that all these people are the same basket of deplorables and should be ignored.

Actually scratch that, they ran stories on Pocock because he won a decision against Fedora over a domain name and is also a "notorious harasser". Man, coincidence is a canny beast.
 
  • Feels
  • Like
  • Informative
Reactions: MrJokerRager, Doctor Neo Cortex, Johnny Salami and 4 others
Ah yes, the biyearly npm incident that everyone will take completely seriously and without a doubt NOT sweep under the rug as yet another "isolated incident".

Funnily enough, it made its way over to Unity which was simply too slow to update, at which point the geoIP API key had already been revoked.
 
  • Feels
  • Like
  • DRINK!
Reactions: snoot booper, Doctor Neo Cortex, Smaug's Smokey Hole and 8 others
1647516840967.png

Brandon has started backpedaling hard.

1647516777766.png

However, the force-push undoing all his malware shit so the files in his repo were all last edited 9 months ago has not yet carried through to the system that pushes out updates. So the malware is still out there.

He's also silently editing out comments that discuss his malware shit:

1647517119305.png
1647517440397.png

The issues tab is stuffed full of threads that he's silently locking.

1647517864756.png

Meanwhile, this module is so extensively used that people are finding its handiwork when they run fucking Unity development tools:

1647517607841.png

(link) (archive)
 
Last edited:
  • Informative
  • Like
  • Horrifying
Reactions: The Ultimate Ramotith, Canebrake, Effluvial Ooze and 17 others
Account said:
@CrunkLord420

What was this malicious code put in? Was it some no-name thing or was it big? I don't know webshit.
I can't even begin to process how this guy thought this was a good idea. I hope he likes his permanently tanked reputation. No matter how Approved (tm) his opinions are, nobody is going to want a retarded that only hurts himself.
Click to expand...
Hurts himself, whatever. Hurts your business over political nonsense? Do not hire.
 
  • Agree
  • Like
Reactions: Woe-B-Gon (TM), princesstinyfeet, MrJokerRager and 6 others
  • Informative
Reactions: Doctor Neo Cortex, Johnny Salami and Marvin
Leonard Helplessness said:
Meanwhile, this module is so extensively used that people are finding its handiwork when they run fucking Unity development tools:
Click to expand...
I'm kinda baffled at this. Is this Unity Hub thing some Electron shit which is running this package? Why did they publish a release to users which had this bad package in it; did they not test it locally? Or, even dumber, is their software auto-updating packages for itself, by itself?

It's too bad the Unity team has to release an Electron app. If only they had some experience creating multi-platform software which integrates reasonably well and is reasonably performant across all its target platforms. Hmm. But lacking that level of experience, it's only natural for small, budget-constrained teams to use Electron for this sort of thing, which is also why Microsoft uses it.

(This has been your periodic "LC fucking hates Electron" post. Please stay tuned for more.)
 
  • Feels
  • Like
Reactions: ducktales4gameboy, Doctor Neo Cortex, SomeBoyo and 12 others
CrunkLord420 said:
Guy says he works for an American NGO that lost whistleblower intel involved in the conflict. Possibly fake and gay, but also plausible. It's getting a lot of attention. https://github.com/RIAEvangelist/node-ipc/issues/308 (https://archive.ph/yfFMi)
View attachment 3080722
Click to expand...
Sketchy as fuck, guy joined five hours ago just to make this issue and you're telling me they store information on government abuse locally with no backups for an extended period of time despite being based in the US?
I hope it spooked the dumb faggot who pulled this stunt though, he deserves the heart attack.
 
  • Like
  • Agree
Reactions: Cowboy Kim, Suikafag, Large and 10 others
This is the logical conclusion when people tolerate shit like that one Minecraft mod shoving Nigger Lives Matter propaganda in your face, and that "ethical source" snake oil. People feel empowered to fuck with the software they write just because they think it'll make a difference, when at best they'll do nothing and at worst will piss everybody the fuck off (as it always does).

CrunkLord420 said:
Guy says he works for an American NGO that lost whistleblower intel involved in the conflict. Possibly fake and gay, but also plausible. It's getting a lot of attention. https://github.com/RIAEvangelist/node-ipc/issues/308 (https://archive.ph/yfFMi)
View attachment 3080722
Click to expand...
Even if this isn't real, I hope Brandon Miller gets sued into the ground anyways. Fuck him and fuck his shitty "hacktivism."
 
  • Agree
  • Like
Reactions: Doctor Neo Cortex, Suikafag, ExsanguinateHorizon and 12 others
  • Agree
  • Like
Reactions: The Ultimate Ramotith, Suikafag, Dededon't and 6 others
CrunkLord420 said:
Guy says he works for an American NGO that lost whistleblower intel involved in the conflict. Possibly fake and gay, but also plausible. It's getting a lot of attention. https://github.com/RIAEvangelist/node-ipc/issues/308 (https://archive.ph/yfFMi)
View attachment 3080722
Click to expand...
Hmm, looks like that post is currently edited to this:

Edit: I have been asked to withdraw this statement from GitHub.

A copy will be made available here
Click to expand...

If this still isn't LARPing, I wonder who requested it be "withdrawn." Maybe the glowy agency he works for, or maybe GH itself? Either way, just linking to the same content on a patebin isn't much in the way of censorship.
 
  • Thunk-Provoking
  • DRINK!
Reactions: snoot booper, Doctor Neo Cortex, Suikafag and 4 others
Brandon Nozaki Miller has responded to the plausible allegation that his actions have caused significant damage to the investigation of war crimes.

1647553074900.png
https://github.com/RIAEvangelist/peacenotwar/issues/45 / https://archive.ph/VbUdw

Clearly he took some time to self-reflect on his actions. An issue he felt so strongly about that he had to develop "protestware" and then on top of that add additional, actually dangerous, malware. Because he felt so strongly about it. He feels so strongly about peace. He feels so bad about the Ukrainian civilians, or something. You can clearly see how shaken he is that his actions may have harmed them.

Actually no, he's borderline pivoting to "LOL THIS WAS JUST ME PROVING HOW VULNERABLE YOU ARE TO SUPPLY CHAIN ATTACKS #OWNED". I like how all these soydev webshitters pretend like they actually audit all 1000 of their NPM-madness dependencies any time they update anything. No one would ever update anything if that was the case, which would be even worse for security.

Least Concern said:
maybe GH itself?
Click to expand...
I had personal dealings with GitHub over the ResetEra Ban Site and their statements and actions were bizarre. It was like talking to robots who refused to acknowledge anything I said and kept insisting I dox myself. When I refused they threatened to ban me for a ToS violation that I actually wasn't in violation of because of an exception specifically designed for my use-case. Despite their Section 230 protection I could see them just fucking around because they felt like it.
 
  • Informative
  • Like
  • Feels
Reactions: Blackhole, Lord Xenu, Lewisite and 33 others
Broke: Make the world a better place by creating, maintaining, and sharing free software that anyone can use or build on and doing this so consistently for so many years that the fabric of the Internet practically depends on the collective sense of public trust that the people writing the code are genuinely trying to make good code rather than being petty, destructive faggots

Woke: Make the world a better place through random acts of terrorism based on shit you heard on reddit and making up after-the-fact excuses for any collateral damage you cause
 
  • Feels
  • Like
  • DRINK!
Reactions: ddw, Standardized Profile, Effluvial Ooze and 17 others
You must log in or register to reply here.
Back