Diseased Open Source Software Community - it's about ethics in Code of Conducts

[Hồ Chí Minh]

Giving a single company the ability to forge login credentials all over the place is such an amazingly retarded decision it boggles the mind. I hope saving the few bucks in administration costs was worth this disaster.

There is actually some value for that: if someone leaves you can just cancel that one account and revoke access to everything, rather than having to hunt down 20 different accounts hoping you don't forget anything. That's *also* a security liability. There are also issues with random websites/services not necessarily doing a great job at authentication themselves, and people using that as a foot in the door to escalate their authorisation (e.g. use Zoom to escalate to email by messaging someone, or using a leaked password from service A to log in to service B).

You could almost that account management in a business with hundreds, thousands, or more people is kind of a hard problem with no easy simple answers.

 

[306h4Ge5eJUJ]

There is actually some value for that: if someone leaves you can just cancel that one account and revoke access to everything, rather than having to hunt down 20 different accounts hoping you don't forget anything. That's *also* a security liability. There are also issues with random websites/services not necessarily doing a great job at authentication themselves, and people using that as a foot in the door to escalate their authorisation (e.g. use Zoom to escalate to email by messaging someone, or using a leaked password from service A to log in to service B).

You could almost that account management in a business with hundreds, thousands, or more people is kind of a hard problem with no easy simple answers.

I can see the use of some form of central account management, sure. But why oh why would you then outsource the administration of that system to someone else? That's what gets me, the company handling SSO on someone else's behalf becomes a bigger and bigger single point of failure with each new customer. Even just buying the management software from them and hosting it yourself would have been preferable, at least then the SPoF only exists on the technical level, rather than social level as well.

 

[yourdadscumdumpster]

Giving a single company the ability to forge login credentials all over the place is such an amazingly retarded decision it boggles the mind. I hope saving the few bucks in administration costs was worth this disaster.

What they won't admit, in all their desperation to say this wasn't a full admin page that was compromised, was even the reduced "support panel" that was accessible allowed for the user to issue SAML certificates for ever company user without any additional checks. That's basically giving away the keys to the castle even if the initial exploit is fully closed!

There is actually some value for that: if someone leaves you can just cancel that one account and revoke access to everything, rather than having to hunt down 20 different accounts hoping you don't forget anything. That's *also* a security liability. There are also issues with random websites/services not necessarily doing a great job at authentication themselves, and people using that as a foot in the door to escalate their authorisation (e.g. use Zoom to escalate to email by messaging someone, or using a leaked password from service A to log in to service B).

You could almost that account management in a business with hundreds, thousands, or more people is kind of a hard problem with no easy simple answers.

I agree 100% with your last point, which is exactly why this industry needs more disclosure, needs more open source infrastructure and absolutely needs proper transparency. Obfuscation and reliance on a dated "security through obscurity" model is a recipe for the destruction of core economic players in anything raging from simple criminal action to terrorist attacks on infrastructure to a full out cyberwar. The current system is a joke and is why China and Russia have been aggressively developing their own solutions to avoid half baked private SSO firms from being the weak link for major industries and government bodies. I'm not arguing the west should do the same but they definitely need to support the players who do thing properly and aggressively shame, and potentially punish, firms who try to hide and minimize the impact of attacks on their software.

 

[Shaka Brah]

I agree 100% with your last point, which is exactly why this industry needs more disclosure, needs more open source infrastructure and absolutely needs proper transparency. Obfuscation and reliance on a dated "security through obscurity" model is a recipe for the destruction of core economic players in anything raging from simple criminal action to terrorist attacks on infrastructure to a full out cyberwar. The current system is a joke and is why China and Russia have been aggressively developing their own solutions to avoid half baked private SSO firms from being the weak link for major industries and government bodies. I'm not arguing the west should do the same but they definitely need to support the players who do thing properly and aggressively shame, and potentially punish, firms who try to hide and minimize the impact of attacks on their software.

The other vulnerability is from plain old retardation. One stupid mistake can mean locking your entire company out of its offices, or bringing down service by accidentally revoking privileges from everyone at once. The bigger a company gets the dumber it becomes. You can't trust the reliability of complex and futuristic internal security schemes if you're working with the bottom-barrel IT drones they have in Silicon Valley.

A recent example of this is when Facebook's badge authentication service went down and it locked all its employees outside for a day because they only used electronic locks.

 

[yourdadscumdumpster]

The other vulnerability is from plain old retardation. One stupid mistake can mean locking your entire company out of its offices, or bringing down service by accidentally revoking privileges from everyone at once. The bigger a company gets the dumber it becomes. You can't trust the reliability of complex and futuristic internal security schemes if you're working with the bottom-barrel IT drones they have in Silicon Valley.

A recent example of this is when Facebook's badge authentication service went down and it locked all its employees outside for a day because they only used electronic locks.

Funny thing about that is Sheryl Sandberg said the following when a friend, an early employee there, had concerns that the locks were totally digital when first installed, (mainly due to implications on safety in the case of emergencies, such as power loss or active shooters) - a physical key wasn't worth "the aesthetic downgrade", that "[w]e're Facebook, how long will they let us be locked out for? We're not a section 8 tenant." and "Would you be questioning me about this if you were talking to Zuck? If I was a man?" That was the straw that broke the camel's back and sadly he left before he could even see himself vindicated, although she's so self unaware I doubt he would have gotten any joy out of it - she'd never give any indication of doubt or regret.

 

[LanceHaver]

I can see the use of some form of central account management, sure. But why oh why would you then outsource the administration of that system to someone else? That's what gets me, the company handling SSO on someone else's behalf becomes a bigger and bigger single point of failure with each new customer. Even just buying the management software from them and hosting it yourself would have been preferable, at least then the SPoF only exists on the technical level, rather than social level as well.

The reason everything from authentication solutions to platforms to application development to infrastructure is being sourced from 3rd parties is that it takes the burden off the company to maintain their own big IT department. Over the past decade a lot of heavy hitters began subscribing to software-as-as-service, and as more and more solutions become available as services, more and more independently developed solutions are being migrated to service-based solutions from 3rd parties.

Often it is sold internally as a security benefit, the idea being that one company can do one thing really good and securely, and sell that as a service to everyone else, as opposed to 1000 companies doing that one thing poorly, and having to pay more to do it.

Obviously it doesn't always work at that way but this is the idea/motive

 

[Least Concern]

I can see the use of some form of central account management, sure. But why oh why would you then outsource the administration of that system to someone else?

For the same reason companies outsource any other IT service rather than do it in-house; it's much easier. Not everyone has the time or expertise to set up their own SSO server and do it correctly.

How many companies host their own email servers?

 

[Hồ Chí Minh]

I can see the use of some form of central account management, sure. But why oh why would you then outsource the administration of that system to someone else? That's what gets me, the company handling SSO on someone else's behalf becomes a bigger and bigger single point of failure with each new customer. Even just buying the management software from them and hosting it yourself would have been preferable, at least then the SPoF only exists on the technical level, rather than social level as well.

Well, this assumes that you can do a better job than a specialized company. Is that the case? Sometimes, maybe. But looking back on my career where seeing ops teams struggle to even keep the basic internal plumbing running – much less keep secure – I think many companies would struggle with this. "Host it yourself" sounds easy until you're juggling a whole bunch of services around with an ops team of 2 people who also have to do a crapton of other stuff. And this isn't some sort of minor thing like a company blog or whatnot; if your auth service is down then your company is on its ass.

All of that said, Okta doesn't exactly inspire a great deal of confidence in me here, but I never heard of them before this story so I don't want to judge *too* quickly...

 

[The Demon]

The reason everything from authentication solutions to platforms to application development to infrastructure is being sourced from 3rd parties is that it takes the burden off the company to maintain their own big IT department. Over the past decade a lot of heavy hitters began subscribing to software-as-as-service, and as more and more solutions become available as services, more and more independently developed solutions are being migrated to service-based solutions from 3rd parties.

Often it is sold internally as a security benefit, the idea being that one company can do one thing really good and securely, and sell that as a service to everyone else, as opposed to 1000 companies doing that one thing poorly, and having to pay more to do it.

Obviously it doesn't always work at that way but this is the idea/motive

Biggest flaw behind this is the fact that companies love to go for the lowest bidder, even if it means it'll completely screw them in the long run. 9 times out of ten, it gets farmed to a company in a 3rd world country where workers are paid barely anything and probably aren't even equipped for the job. Also doesn't help if the IT company you hired is trying to obfuscate as much stuff as possible to make it look like they're doing a good job, when in reality they also farmed the work to another person, who then farmed the work to his child because he knows a lot about those computer games and the tiktok.

If you want to fire your dedicated in house IT team, do yourself a favor and burn the amount you would pay for the IT team in a furnace, keep the IT team and pay them that anyway, because i guarantee you that you'll still not spend as much money on hiring the lowest bidder

 

[Computer Guardian]

Update on Brandon Nozaki-Miller's brave war against Putin: He's now deleted irreplaceable exclusive evidence of Putin's war crimes.

View attachment 3102015

Now I want to see how the court with Brandon and the US government will go, especially when the 'hacktivist' gets laughed out of court and right into a prison cell.

 

[Knight of the Rope]

Update on Brandon Nozaki-Miller's brave war against Putin: He's now deleted irreplaceable exclusive evidence of Putin's war crimes.

We knew about that before this thread was even featured, though.

 

[yourdadscumdumpster]

Guy says he works for an American NGO that lost whistleblower intel involved in the conflict. Possibly fake and gay, but also plausible. It's getting a lot of attention. https://github.com/RIAEvangelist/node-ipc/issues/308 (https://archive.ph/yfFMi)
View attachment 3080722

I can't confirm which NGO it is nor am I saying this guy is a legit (he could have heard about the situation from the similar circles as I did) but I've heard from figures affiliated with BEROC (https://beroc.org/en/), IRF (https://www.irf.ua/en/) and Ostrogorski (http://ostrogorski.org/en) - basically orgs all across the ideological spectrum of economics/policy think tanks - who have been working with their Ukranian policy counterparts on recording conflict data such as what was described. They did not mention a specific org (and the way it sounded to me it may have been a temporary tech solution set up by multiple groups) but somehow there was a massive loss of data.

That said, I'm skeptical it is lost forever. They were all confident that most of it was replicated elsewhere and total legitimate losses would be minimal. The lack of additional verification/confirmation elsewhere or mentions of the loss subsequently suggests to me that a successful partial, or full, recovery was made.

 

[chiobu]

Has to be a LARP yes?

https://github.com/donnemartin/system-design-primer/pull/656

https://archive.ph/WgoEx

Wix site listed is shitty which is another giveaway I guess

https://inclusivecoding.wixsite.com/home

https://archive.ph/ANIhX

 

[Hồ Chí Minh]

Has to be a LARP yes?



View attachment 3127328
View attachment 3127337

https://github.com/donnemartin/system-design-primer/pull/656

https://archive.ph/WgoEx

Wix site listed is shitty which is another giveaway I guess

https://inclusivecoding.wixsite.com/home

https://archive.ph/ANIhX

The Go patch they sent breaks tests and makes various sentences nonsensical: https://github.com/golang/go/pull/52057/files

In the electron PR it replaces "he/she" with "they/they": https://github.com/electron/electron/pull/33532/files

The ohmyzsh PR completely wrecks a whole bunch of things: https://github.com/ohmyzsh/ohmyzsh/pull/10814/files – it changes "man pages" to "person pages" and a bunch of other garbage.

The FreeCodeCamp PR changes 5000+ files(!!!!): https://github.com/freeCodeCamp/freeCodeCamp/pull/45569/files – and if you look at the changes it's complete garbage ("help" changes to "theylpe", "headers" to "theyaders", etc. It matches the "he" in there, I guess they started using "\bhe\b" for word boundaries in later PRs).

Even the most junior of idiotic devs will understand that a "s/man/person/" and "s/he/they/" on actual code will not end well. And maybe, just a radical thought, actually look at at least the first few PRs before you vomit them all over GitHub?

And what kind of developer uses *Wix* to make a static site when you can use GitHub sites (or a number of other solutions), or Google Forms when you can use GitHub issues, or any other number of dev-oriented solutions for that, too.

I want this to be some sort of performance art parody, but I'm afraid it's not...

Based on the inclusive-coding-bot/test_non_inclusive_repo repo, which is forked from jamiepinheiro/test_non_inclusive_repo, it seems that this Jamie Pinheiro is the one behind this. Also see this test PR, and he's also a member University of Waterloo organisation, and the bot's location is also Waterloo.

 

[Solid Hyrax]

Has to be a LARP yes?



View attachment 3127328
View attachment 3127337

https://github.com/donnemartin/system-design-primer/pull/656

https://archive.ph/WgoEx

Wix site listed is shitty which is another giveaway I guess

https://inclusivecoding.wixsite.com/home

https://archive.ph/ANIhX

The he-translate is a hebrew translation tree. This retarded bot, if real, is going to break a lot of files.

 

[888Flux]

Has to be a LARP yes?

Zuck is not playing around:

The he-translate is a hebrew translation tree. This retarded bot, if real, is going to break a lot of files.

The way GitHub works is the commit has to be merged before any changes are actually made to the codebase. I would find it hilarious if some virtue-signalling faggot merged the bot's pull request without even looking at what it's changing and it ends up breaking everything. Maybe this is some 200 IQ false flag operation, but most likely it's not and whoever designed it is just delusional.

Based on the inclusive-coding-bot/test_non_inclusive_repo repo, which is forked from jamiepinheiro/test_non_inclusive_repo, it seems that this Jamie Pinheiro is the one behind this. Also see this test PR, and he's also a member University of Waterloo organisation, and the bot's location is also Waterloo.

Xirs please to do the needfuls

 

[Shaka Brah]

High chance this is an attempt at a popular type of credential inflation/fraud. You make lots of useless PRs to lots of big name repos and then if any get in you claim them on your resume.

 

[Polish Businessman]

High chance this is an attempt at a popular type of credential inflation/fraud. You make lots of useless PRs to lots of big name repos and then if any get in you claim them on your resume.

The Schlinkert schtick? Maybe, but this guy seems more like clueless. He actually did some useful work on Google, so he probably has no need to inflate some bullshit stats, but on his resume he brags about using Clubhouse, which means he doesn't read NYT. I think this is a prime example of a useful idiot - he doesn't think much about politics, he read somewhere that this is now a thing some charities care about, so he got to work. "I'm gonna do something for the common good" he thought.

Edit: I didn't notice the dates on the resume. You're right, this guy is a scammer.

 

[Lain of the Wired]

This is very triggering. Xir should change xers name to Jamie Pintheyiro.

 

[chiobu]

lol someone made this in response to that faggy inclusive bot

https://github.com/exclusive-human-programmer/exclusive-human-programmer

https://archive.ph/cno7j