I’ve heard people mention curl and imagemagick. Any others that you know about?
Had GPT summarize what happened.
The “left pad” incident refers to a controversy that arose in 2016 when a developer named Azer Koçulu removed his JavaScript package called “left-pad” from the NPM (Node Package Manager) registry. This caused a ripple effect, breaking numerous projects that relied on this package and highlighting the potential risks of relying on external dependencies. The incident sparked a debate about the stability and trustworthiness of the open-source ecosystem and led to discussions about best practices for managing dependencies in software development.
From memory the NPM blokes had to have a think about how they handle important packages because of that. Didn’t they revert the changes to left pad to ensure everything else didn’t break?
Fascinating to see the house of cards some of these solutions / libraries are built off
Log4j was a fun one to watch unfold everywhere when things went haywire
The neat thing about the log4j thing was even a cursory explanation of the vulnerability made anyone with a passing familiarity with security say, “Why the fuck would that even be a feature?!”
Basically it involved parsing JNDI stuff which involved grabbing remote code (but that was a niche feature of JNDI in the Dev’s defense). Basically, you may think it is just something like variable substitution but can involve much crazier stuff.
Edit: and for more context, JNDI is typically a thing for getting a database connection stored on the application server. The idea being you just ask for “customer database” and don’t have to define the connection in the code. The server has it defined elsewhere. So in each environment it works the same. Basically glorified and standardized config file type of thing.
As a non-java company developer at the time, I think our biggest challenge was explaining to everyone that Log4j didn’t affect us. It took a non-zero amount of effort because a lot of customers panicked. To be fair, it was also an industry where confidentiality is important.
It was if none of your code used log4j. I remember being very grateful that I had chosen java.util.logging and Logback for my Java logging needs.
That one was so annoying because you had to be using the log server to have any issues. If your network was locked down, the log server was disabled, or if you happened to be using a version that was from before the log server was added, then there were no issues. But clients just heard “log4j” and thought it was unsafe.
Werner Koch, the guy who created, and who has maintained for 25 years now, pretty much all by himself, GnuPG, the modern email encryption replacement for PGP.
Just the other day, I realized I actually live just a few kms away from the guy, here in Germany … very tempted to reach out to him someday and actually buy him an actual coffee.
That was the one I couldn’t remember, I got GPG and PGP confused but I remember it involved email encryption.
This guy was the reason that every security dev had those personal public keys clearly posted next to their email address on every announcement and blog post they ever released.
Sci-Hub anyone?
Alexandra Elbakyan manages this truly awesome source of scientific papers completely on her own. She got sued twice and lost, had to change the URL multiple times due to takedowns and only gets along by donations.
It is a crime to humanity to lock knowledge behind a huge paywall. She does God’s work.
And it’s not like the actual scientists/academics support knowledge being locked away either, or profit from it.
She’s the best thing that’s happened to the s scientific publishing field. I’m no longer a student but I still enjoy reading scientific papers and I’ll be damned if I have to pay $20 per article (which doesn’t go to the authors) since I no longer have access to a library that maintains relationships with these big publishers.
cURL was one of these for a while (according to my limited understanding)
It was made in the 90s and it didn’t get commercial support until a few years ago.
