bioemerl @ bioemerl @kbin.social

Posts

0

Comments

464

Joined

2 yr. ago

Guy, climate change is an obvious and currently happening thing that I 100 percent believe is real and needs to be handled.

Going on wild tangents about how climate change makes everyone not save in a discussion about software security is the problem.

This is a new trend thanks to so many products requiring web services to function. Back in the day the only thing that made products inaccessible was the fact they were not produced.

Nowadays a lot of stuff is just a useless brick purely because an unnecessary web endpoint has been shut down. Especially video games.

And the problem was fixed right afterwards

Which is expected. When it comes to security the fact it happened at all is the problem.

I don't expect the software to be fool proof. All software has bugs and problems, but this software is specifically developed by bad actors who will eventually use the platform to fuck you over.

Just because it happened unintentionally, doesn’t prove that we can’t trust the developers

The developers aren't trustworthy on the account of their extremist ideology, not on account of this bug happening. This bug is evidence that despite the fact that this project is open source you should not just brush off that extremist ideal as "no big deal".

Lemmy has no financial value.

And immense social value.

Don't worry, it'll only be 20 years after the chain reaction accident that all these satellites will burn up in orbit. Surely 20 years of no low earth orbit satellites will be fine, right?

But regardless of the knowledge you may or may not have, your comment pattern seems to be that of a troll

Yeah. "Reddit behavior". Coming from the guy summoning every bad faith argument they can.

No. They didn't catch this. It compromised an administrator on a massive instance.

It wasn't intentional. It proves that when it is intentional it'll be easily done and it's a mistake to trust the Lemmy code base.

"I'm going going to explain why you're clearly wrong and I'm clearly right because that would open me up to making arguments that can actually be argued against".

You treat open source like it's a magic sprinkle to get trustworthy code. It isn't, and when malicious actors control the code base and write the majority of the code it is hilariously easy to sneak many bugs in over the years. Even projects like Linux, run by people you can actually trust, have issues with third party contributors despite incredibly rigerous approval process.

I'm damn well aware of how this works, and you believe open source gives you security that simply does not exist.

Did they catch this?

The world will never be safe… (increasingly accelerated by climate change)

Alright, with this wild tangent I'm done here.

Check out lemmy.ml, which is the devs instance. You'll see it very quickly.

So in that regard: it will get safer over time.

That's true, but it'll never be "safe" thanks to the malicious actors controlling pull request and being easily able to bypass most eyeballs with minor or major changes.

Both of those statements are reasonable. You shouldn't have to pay to utilize anything you scrape from the internet, so long as you don't violate copyright by redistributing it

I trust code I can actually read and reason about

Unless you're auditing the code yourself you can't. This is my point. The fact something is open source does not and will never protect you unless you go out of your way to do the herculean task of auditing it yourself.

And even if you audited it, guess what happens next week? Next year? The bigger the system gets the more valuable it is a target. I don't expect anything malicious to happen now. I expect it to happen once the growth phase is over.

At the end of the day it all falls down to trust.

Like you’re on the other side of the spectrum (i.e. Nazi)?

No, I would consider them being a bunch of Nazis just as bad. Any idealistically extreme group should never ever ever control platforms like these in any way.

I trust these guys a lot more than most politicians or big companies

Cheap ass copout reasoning there. You're still trusting code you shouldn't.

Why shouldn’t I trust Lemmy?

They are literally ideologically aligned with a state that runs the largest mass censorship program in the world.

I mean the devs are now finally able to finance themselves via donations

Doesn't help. They're still potentially malicious actors.

Just because you obviously don’t share their political view,

It's just a sliiiight bit more extreme than a small difference.

I also love how you're jumping goal posts here after your other point totally failed to land.

They are closer to anarchism and Marxism

They literally regularly praise and support China through their moderation and consider negative talk about China western propaganda.

It’s not a backdoor. It wasn’t malicious

Read my comment again. I literally said this wasn't. I said this is experience that it could be easily done in the future.

everyone can see the code, which means everyone can spot sketchy shit - either malicious or completely accidental - and fix it.

Didn't help in this case. Open Source doesn't fix malicious contributions, and when the project owners are the malicious source your have no safeguards. Trust is still essential.

If this was a malicious exploit, it’d have been obscured far more,

Ex-fucking-xactly

And you don’t seem to know how (developing) software works, and that people aren’t infallible when it comes to avoiding bugs.

I'm literally a professional software developer.

I'm also telling you that people are fallible, bugs are easily missed, and you shouldn't trust a project to be secure just because it's open source.

Popularity just also increases the attack surface to a project, all these bugs can absolutely also occur in kbin.

Yes.

And kbin doesn't have developers that have reason to attempt to create and support malicious code. You can trust them to at least attempt to keep the code base clean in good faith. You can't trust Lemmy to do the same.

And you're aggressively confidently wrong. Evidence by the fact that you give literally zero reasoning.

The fact a bug like this can happen is clear and obvious evidence for how these things can happen, and this was just stupidity, not targeted malice.

This is why competition in the online space is essential and we need strong regulation to kill the network effects that keep Twitter and reddit afloat.

A platform should not be able to unilaterally censor anyone.

The Lemmy devs are ideological fans of communist China.

They're likely to cooperate with them down the line and take actions that compromise their software, send data to others who are in their circle, and so on and so forth.

A lot of people say since Lemmy is open source you can trust it, but open source isn't a protection against malicious code. Here you can see an example of just how easy it is to sneak something by. Even though this wasn't a malicious example it still allowed admin accounts to be compromised