SoylentNews is people
SoylentNews
Submitted via IRC for SoyCow8317
The Node Package Manager (npm) team avoided a disaster today when it discovered and blocked the distribution of a cleverly hidden backdoor mechanism inside a popular —albeit deprecated— JavaScript package.
The actual backdoor mechanism was found in "getcookies," a relatively newly created npm package (JavaScript library) for working with browser cookies.
The npm team —who analyzed this package earlier today after reports from the npm community— says "getcookies" contains a complex system for receiving commands from a remote attacker, who could target any JavaScript app that had incorporated this library. The npm team explains:
The backdoor worked by parsing the user-supplied HTTP request.headers, looking for specifically formatted data that provides three different commands to the backdoor. [...] We can see here that the headers are stringified and the result searched for values in the format of: gCOMMANDhDATAi
(Score: 2) by AssCork on Thursday May 03 2018, @05:46PM (7 children)
No Such Agency
Nothing to see here, folks. Move along.
By the way, who still chooses to use Java? I mean, we have . . .oh.
Just popped-out of a tight spot. Came out mostly clean, too.
(Score: 3, Informative) by DannyB on Thursday May 03 2018, @06:24PM (5 children)
I hope you're not confusing Java and JavaScript. They are not the same thing. Only slightly superficially similar.
Hey, ten years ago, Java wasn't a bad choice when starting a new project.
It's still not bad. But I'm keeping my eye on other things. Node.js is a favorite interest.
If you're building a small website or small application, don't use Java. Use PHP or something simple. If you're building a gigantic application, Java shines. Especially if you will be maintaining it for many years.
Ah, but who lives with the code they write these days. Just write a big mess, and move on, leaving someone else to maintain it.
To transfer files: right-click on file, pick Copy. Unplug mouse, plug mouse into other computer. Right-click, paste.
(Score: 1, Informative) by Anonymous Coward on Thursday May 03 2018, @08:42PM
There's also the classic amateur misunderstanding of "Java Applet in the browser" and "the workhorse code that does your banking".
(Score: 4, Interesting) by tangomargarine on Thursday May 03 2018, @09:47PM
This is exactly why they decided to name it JavaScript in the first place--because only programmers can ever remember Java and JavaScript are two different things :P
"Is that really true?" "I just spent the last hour telling you to think for yourself! Didn't you hear anything I said?"
(Score: 3, Interesting) by Thexalon on Friday May 04 2018, @03:33AM (2 children)
PHP combines all the syntactical simplicity of Perl with the library consistency of Java. Which is to say, it's awful on both counts.
If you're looking for simple, I'd vote for Python/Django. It's very good at expressing a lot with very little code, and not being super-complicated about it.
The only thing that stops a bad guy with a compiler is a good guy with a compiler.
(Score: 4, Funny) by DannyB on Friday May 04 2018, @03:44AM
I looked at PHP about 18 years ago. Obviously, I am not a modern PHP programmer. :-)
As for the other thing that you mention . . .
Even modern mental health care has great difficulty helping people to achieve complete recovery from having programmed in Perl.
A problem i had to unfurl.
My stomach it started to hurl.
A bad referenced array,
I found, to my dismay,
I'm just glad it's not written in C++.
To transfer files: right-click on file, pick Copy. Unplug mouse, plug mouse into other computer. Right-click, paste.
(Score: 2) by JNCF on Friday May 04 2018, @01:03PM
Ruby is much more expressive than Python, if you're looking for short sweet snippets of code. Rails is arguably complicated in that it dictates a bunch of things and expects you to understand them, but there are other Ruby frameworks that demand less conformity.
(Score: 0) by Anonymous Coward on Thursday May 03 2018, @08:51PM
Let's jump to conclusions? Other possible IP origins (and IPs can be spoofed you know) are the Creme Lynn, Bay Jingo and several others.
Me, I'm waiting until something core to the internet like jquery or node.js get backdoored, hacked, whatever. Then we watch the grenade in in the henhouse - foxes being redundant.