Diseased Open Source Software Community - it's about ethics in Code of Conducts

  • 🐕 I am attempting to get the site runnning as fast as possible. If you are experiencing slow page load times, please report it.
He's active on Github right now: https://github.com/RIAEvangelist/node-ipc/issues/527

Going through all the closed issues on node-ipc, He has just been frantically closing all of them and deleting comments, lol

View attachment 3086090
What an insufferable prick. He could have critiqued modern software development (which, to be fair, IS shit) without having released a shitty piece of malware that almost certainly harmed innocents and did nothing to help anybody. The man would murder someone in cold blood and his defense would be "decide if you are OK trusting people when we still have people willing to start wars in our world."
Imagine being up at 1AM on a Saturday and you're spending your time renaming issues like this :story:
View attachment 3086175
View attachment 3086174
Too bad he can't erase fartsniffer104 and yeeterlol from the page.
 
Sure buddy, I'm sure the Kremlin and the Russian Military and Intelligence services are definitely going to use open-source Javascript from some balding American soylord.

Unlike, say, Russian dissidents who would want to know exactly what code they're running and don't have the money for commercial code because the Russian economy bombed.

Talk about an own goal. Fuck me, this moron didn't spend even 30 seconds thinking through the logical consequences of doing this. Fucking Reddit poisoning, man.
 
So far, there's nothing to go off other than the poster's own word (like with Byuu). The account was created on Github less than 5 hours before posting. Some might call bs because of that, others might say that's because they made a throwaway to be anonymous. There's no identification of what NGO it is either but that could be chalked up to just wanting to be anonymous. The poster more or less implies that they don't have any backups, which sounds like would be the number one thing an organization this important wouldn't fuck up. On the other hand, there are many organizations (government and otherwise) that are shockingly incompetent, so it's really hard to tell. However, he's said they are going ahead with litigation, so we'll find out sooner or later if it's fake or gay
Pretty much what @Markass the Worst said, yeah. Also the bit about the NGO and "on recommendations of legal counsel we're thinking about filing criminal charges federally" kind of gives it away as a LARP too. Not to mention that they redacted the statement because they were asked to, but then immediately reuploaded it on another platform with an embed link. (Presumably they were 'asked to withdraw it by GitHub', because who else would be okay with them just reuploading it anyway to weasel out of the withdrawal?)
Screenshot 2022-03-19 at 05-25-38 American NGO affected by your recklessness · Issue #308 · RI...png

Sure, maybe it'll turn out to be legit and bdsmith72 there just sucks at articulating things. But in the meantime, my gaydar is picking up strong signals.

I know you're being sarcastic but I think that only applies to accidental damage.
I'm not so sure. I'd definitely be interested in hearing some arguments either way even if this doesn't end up going to court, but just from my armchair it seems pretty clear to me that all the major licenses have the "at your own risk" thing locked down. Is there precedent for intentional maliciousness being an exception to such statements?
That's going to be the most interesting part of what happens next, I think. Sure, the MIT License is pretty emphatic about the responsibility/warranty disclaimer, but does that apply to intentionally and maliciously sabotaging your own code, and for the purpose of committing a criminal act? I reckon even if the former is covered under the letter (but sure as fuck not the spirit) of the FOSS license, then surely the latter (i.e. the willful destruction of others' property) is a still big deal.
 
Sure buddy, I'm sure the Kremlin and the Russian Military and Intelligence services are definitely going to use open-source Javascript from some balding American soylord.

Unlike, say, Russian dissidents who would want to know exactly what code they're running and don't have the money for commercial code because the Russian economy bombed.

Talk about an own goal. Fuck me, this moron didn't spend even 30 seconds thinking through the logical consequences of doing this. Fucking Reddit poisoning, man.
This is incorrect.

Russian dissidents are personally rich, extremely well-funded, and get dollar-denominated salaries. Many of them haven't lived in Russia for years, and a shitton emigrated in the recent weeks. Dissident orgs do use open-source Javascript from balding American soylords, we know it from their job openings.

I didn't get to see of lot of the Russian military (I only made it as far as the first checkpoint of a heavy weapons lab), but I have the impression they hire poor talented autists who can't make it in commercial IT, due to not fitting the soy corporate culture, and pay them a pittance. You have to love math for real and have excellent health to get in.

And then there are well-funded agencies (like the censorship office Roskomnadzor) which pay almost the same as businesses and attract the same crowd of terminally online redditors and dangerhairs with septum piercings. During the very short time I worked there, the censorship engine went down for half a day because they didn't lock the version of pip (python package installer).

Which is to say, the attack was likely to hit both dissidents and the Russian propaganda arm (because they're soy, not because they have funding issues). Military and intelligence, not too likely.
 
People are cheering on this guy being fucked and his life ruined, but I'm not actually seeing any evidence anything bad has happened to him other than him being sent pizzas and a failed SWATting attempt.
It's been a couple days since shit hit the fan. It will take at least a coue weeks for the real collateral damage to hit. Plus, I doubt his wife is to happy with his tranny chasing ways. If they found his fucking Ashley Madison account, I am almost certain they have his wife's email. That's not even mentioni g the fact he created a fucking virus that can be weaponized against literally every one in the world with some minor modifications to it. It's hitting Russians and Belarusians now, but all you have to do is change it to American IP ranges to become a matter of national security, which isn't difficult. This soynigger is legit retarded for doing this. He should have done what the Notepad++ dev does and just use it to sperg about politics ( whith maybe an annoying text file talking about it), not create malicious malware that has the potential to fuck with pretty nuch every JS running computer out there
 
And like most western programmers/tech workers he's a lazy dumbass who just took Javascript and NPM calls for their own use. GGWP faggot.
 
No. I will die on this hill. Typescript is autistic as fuck but the ONE thing it does very well is strong typing. Either he thinks he's too clever for typescript or doesn't understand it, but either way he's retarded. He probably barely understands how to copy/paste code samples and change the variable names.
It may do it well, but as elitist as this sounds, senior-level (read: actually competent) developers forced to use Javascript for production work are still expected to be skilled enough to be aware of (and avoid/guard against) issues raised by weakly-typed languages.

At my office, it's a standing order that trying to shovel Typescript-related stuff into production code is a fireable offense. And the senior manager who said this was only half-joking. I can easily shield a junior developer from that punishment ... for a first-time offense. It's called a "junior-level" position for a reason. But a repeat offense? Or a senior developer does it? Nah, sorry mate. I'll put in a good word for you but you're still going to stand tall before the man for it.

I wouldn't even call it strong typing so much as a shitty validation function.
Yeah, this kind of thing is best done as an inlined assert anyway:
JavaScript:
const someNumber = untrustedClient.getUserInput('penis_length_in_inches'); // User enters "biblical"
assert(typeof someNumber == typeof 9);
naiveTrustingService.broTrustMe.doThingWithNumber(x);
If you're worried enough about type safety that you're considering shoehorning strong typing into a weakly-typed language, this is a better alternative that relies on existing language features. Yes, the above code will crash (well, throw an AssertionError, but catching that and taking any action other than screaming loudly is missing the point anyway) but that is a pain point you want. It should never crash by failing that assert, and it will only crash when you (the developer) allow garbage to reach it. In the above example, the right solution is to add validation to getUserInput() directly.

What this dipshit's done is taken this bog-simple concept, discarded assert (while still throwing an exception like assert does), made it a function and wrapped it in a god damn module and then shoveled it into npm. So much needless indirection and an external dependency to boot. It's literally a one-line check with built-in language features, but using this "method" instead involves importing a module, instantiating it (or at least assigning it to a local variable), making a function call into the module and wrapping it in a try/catch. Soooo slooooow...

If i read the word "transpiling" one more time i might throw up. Talk about looping thoughts.
Want to really be sick? Microsoft are trying to shoehorn Typescript into Javascript now. Submitted to the TC39 committee and everything.

It's kinda funny ... I have some modest respect for tools like Babel for accomplishing what they did when all the "fancy" features started appearing in ES6, like spread operators and classes and the like. Not strictly because those features were super-duper awesome, but because when they "transpiled" ES6 down to plain ol' Javascript they at least made correct choices in how to implement those features as efficiently as possible.

To this day it continues to infuriate me how when new language features get added to Javascript, all the implementations of those features end up being slow as fuck. For instance, as useful and expressive as the spread operator is, it's a dog compared to Object.assign(), which is 209% faster according to a silly benchmark.
 
Most companies should have randomized password encryptors similar to the ones Steam uses; kind of like two-step authentication. Problem is most companies operate on tech ten even twenty years older than modern tech and are therefore lazy in thinking their machines are not susceptible to the new malware and backdoor programs.
Most companies can't afford and/or undervalue actual security (even IT in general) experts. One of those things you won't see the value in until something actually happens.
 
It may do it well, but as elitist as this sounds, senior-level (read: actually competent) developers forced to use Javascript for production work are still expected to be skilled enough to be aware of (and avoid/guard against) issues raised by weakly-typed languages.

At my office, it's a standing order that trying to shovel Typescript-related stuff into production code is a fireable offense. And the senior manager who said this was only half-joking. I can easily shield a junior developer from that punishment ... for a first-time offense. It's called a "junior-level" position for a reason. But a repeat offense? Or a senior developer does it? Nah, sorry mate. I'll put in a good word for you but you're still going to stand tall before the man for it.


Yeah, this kind of thing is best done as an inlined assert anyway:
JavaScript:
const someNumber = untrustedClient.getUserInput('penis_length_in_inches'); // User enters "biblical"
assert(typeof someNumber == typeof 9);
naiveTrustingService.broTrustMe.doThingWithNumber(x);
If you're worried enough about type safety that you're considering shoehorning strong typing into a weakly-typed language, this is a better alternative that relies on existing language features. Yes, the above code will crash (well, throw an AssertionError, but catching that and taking any action other than screaming loudly is missing the point anyway) but that is a pain point you want. It should never crash by failing that assert, and it will only crash when you (the developer) allow garbage to reach it. In the above example, the right solution is to add validation to getUserInput() directly.

What this dipshit's done is taken this bog-simple concept, discarded assert (while still throwing an exception like assert does), made it a function and wrapped it in a god damn module and then shoveled it into npm. So much needless indirection and an external dependency to boot. It's literally a one-line check with built-in language features, but using this "method" instead involves importing a module, instantiating it (or at least assigning it to a local variable), making a function call into the module and wrapping it in a try/catch. Soooo slooooow...


Want to really be sick? Microsoft are trying to shoehorn Typescript into Javascript now. Submitted to the TC39 committee and everything.

It's kinda funny ... I have some modest respect for tools like Babel for accomplishing what they did when all the "fancy" features started appearing in ES6, like spread operators and classes and the like. Not strictly because those features were super-duper awesome, but because when they "transpiled" ES6 down to plain ol' Javascript they at least made correct choices in how to implement those features as efficiently as possible.

To this day it continues to infuriate me how when new language features get added to Javascript, all the implementations of those features end up being slow as fuck. For instance, as useful and expressive as the spread operator is, it's a dog compared to Object.assign(), which is 209% faster according to a silly benchmark.
To be fair, they aren't trying to change any functionality, they are looking to add syntax to help type checkers (treating the syntax as comments). However I'm guessing it's just pretext to further specs
 
  • Agree
Reactions: chroma
He's active on Github right now: https://github.com/RIAEvangelist/node-ipc/issues/527

Going through all the closed issues on node-ipc, He has just been frantically closing all of them and deleting comments, lol

View attachment 3086090
It's incredible that he's doing all this ... on the world's most popular open-source hosting platform, which is built on (and fucking named after) the source control software that inspired it, and where preserving historical versions of everything (comments, pull requests, text, issue titles, source code, etc.) is a fundamental feature. Anyone can go back in any issue's history or the repository's commits to see the original discussions and nefarious deeds. That and all the "juicy" stuff has been well-preserved by all sorts of people, has hit the search engines and has even formally documented at NIST as a vulnerability.

There's no erasing this now. This is a profoundly stupid person.

but does that apply to intentionally and maliciously sabotaging your own code, and for the purpose of committing a criminal act?
No. /g/ has been flooded with trolls (and idiots, I assume) all smugly proclaiming "but muh license!" indemnifies this idiot against damage claims. They're wrong, of course.

A license agreement cannot indemnify a party from prosecution for a crime they commit. Whether a piece of paper two people agreed to says "if you use my software you have to accept anything and everything it does" or not, pwning a computer system is still a crime. The vector of attack (and the license agreement governing it, if any) is irrelevant.

Consider the current plague of software-as-a-service. If you pay for a year of access to Adobe Photoshop, if you stop paying after that year, all they do is stop the software from working for you until you pay for it again. They don't go through your filesystem to delete anything you created with it (or just files at random). I don't doubt it's crossed their minds, but their lawyers have probably warned them they'll get in hot water for that. Even just holding a customer's data hostage on their own computers while resolving a payment dispute is a legal grey area.

This guy? He wrote malicious code with no legitimate purpose (i.e. his users would never want it to be triggered and perform its actions on their own systems), obfuscated it (a little), snuck it into an update without disclosing it or warning anyone and allowed it to be released and deployed. When confronted he openly acknowledged he did it to cause damage to specifically-targeted computer systems, then when he realized he'd made a big mistake he quickly began (poorly) trying to cover his tracks.

Null is spot on -- this was malware. You can't protect yourself from legal action or prosecution just by saying "lol I can do what I want" in the license agreement.

ETA:
To be fair, they aren't trying to change any functionality, they are looking to add syntax to help type checkers (treating the syntax as comments). However I'm guessing it's just pretext to further specs
This is standard operating procedure for Microsoft: embrace, extend, extinguish.

VS Code and WSL are the "embrace" phase (get everyone hooked on their tools and ecosystem). Typescript is the "extend" phase ("it's our flavor of Javascript! Totally backwards-compatible, but with more features!"). Screwing with the Javascript standards is the beginning of the "extinguish" phase ("everybody uses this anyway, so why not make it the new standard and throw out this old-and-busted ES5 stuff? Our technology includes all its features anyway! Why no, we'll never lock it down and/or remove features, why would you ever think that?").
 
Last edited:
What a walking stereotype.
  • California code monkey with ego complex
  • Obsessed electric vehicle hobbist
  • Crashes his own repo for clout
  • Oversells his skill as Director of Front End Technology rather than web developer for Spanish clothing company
  • Libertarian guy with Asian wife
  • Takes compound last name (listing hers surname first)
  • Lists his name in niponeese on Facebook 武嵐呑 aka weeb
  • Philanderer
In reality this guy is a passive code monkey who is petty, jaded, and cannot appreciate anything. Always coveting what others have constantly looking for greener grass. Every time he gets what he wants it never meets the rosy and romantic vision that was in his head. This project was probably his greatest source of pride. Now that he has destroyed his best work the next step is to ruin his tenuous marriage and then become a troon.
1647703782582.png
Wow his Youtube channel is exactly what to expect from someone who has never touched a soldering iron yet really loves electronic vehicles. Looks like his two friends are the mechanical and hardware guys while Brandon is the designated camera holder and tool fetcher. A troon saga is looking more and more like a reality.
 
Last edited:
Back