I thought buttbuttination taught everyone how incredibly stupid this is 25-30 years or so ago already?
But no. Just a few years ago I tried to enter an answer into a Hungarian Q&A site recommending to take the Algeciras-Tangier ferry and the answer was refused. https://en.wiktionary.org/wiki/geci
20+ years of this handle online without problems, and I found out trying to sign up for Stern Pinball Insider that "bint" is a dirty word: https://en.wiktionary.org/wiki/bint
Yes, and your definition is by far the exception, not the rule. Maybe don't claim a definitive meaning when you're wrong to begin with.
One is much more likely to set off censors. Why do you feel the need to ask ridiculous questions? The word you use had already been said, censoring it would be meaningless -- whereas you ascertained the word I meant easily ;)
"You yourself imply there are different degrees to how acceptable the two terms are."
I never claimed either were acceptable or unacceptable.
Interesting how you completely gloss over your needless language policing, especially when you - by your own admission -- haven't even used the terms in question (and presumably lack the nuance necessary to weigh in, despite jumping in anyway) shrug
What the ever-loving fuck? I don't endorse ANY misogyny you utter melon, which was why I called you out on your "Really isn't, it's about the same as calling a woman a cow." nonsense.
The only one "endorsing" misogyny here is you. Stop projecting, pillock.
> When disagreeing, please reply to the argument instead of calling names. "That is idiotic; 1 + 1 is 2, not 3" can be shortened to "1 + 1 is 2, not 3."
> Please don't post comments saying that HN is turning into Reddit. It's a semi-noob illusion, as old as the hills.
> Don't feed egregious comments by replying; flag them instead. If you flag, please don't also comment that you did.
FYI, barking orders at people and swearing at them because you're personally offended by something said in humor, is much more stupid, and is arguably more unwelcome here than GP's comment.
Filters like that are so trivial to bypass on a higher level too. Look at how many gamer or forum tags are “Lovecraft’s Cat”. And good luck catching those cases on a non-manual basis.
I once happened across a Github where all the repos were subtle little bits of anti-Semitic cant relating to the Holocaust. More than subverting them, they also often function as dog-whistles for fellow travelers.
(For those not getting the specific one used above, Lovecraft had a black cat and a common name for black cats at the time combined a now nigh-unprintable racial slur for black people with the word 'man'.)
Related, here's a pretty impressive attempt to detect bad words, to allow a talking banana on a Twitch live stream, without being banned: https://www.youtube.com/watch?v=bJ5ppf0po3k
You're getting downvoted but I also don't understand the relevance here. Parent seems to imply this is a mistake by npm relying on partial censorship but aren't they literally banning this exact word?
Just learned "keygen" is the term the script-kiddies use to describe the act of generating fake activation keys. Never let it be said HN is not educational. But I feel the same way I felt when I noticed idiots using "crypto" to refer to cryptocurrency instead of cryptography.
Greetings! I am here to derail the thread with a remark about "organic chemistry" versus "organic foods".
Sometimes being there first doesn't mean you get to use the simplification forever. Cryptography is an older thing than cryptocurrency, but both are unwieldy to pronounce and have been simplified to "crypto". Since cryptography is math and cryptocurrencies (in the "popular" sphere) is a get rich quick scheme, the abbreviation that works for both generally became applied to the latter.
I am sure organic chemists are a little weirded out when people tell them "oh yeah I love those new strawberries we got". This is that.
"Crypto" has been around for much longer than 5 years. I remember someone using it in reference to a Motorola DES chip in the late 70s. And the IACR Crypto conference has been going on since the early 80s.
Why is it a misuse to use "crypto" to refer to a currency whose design relies on secrets, but it's fine to use "crypto" to refer to keeping communications private using some secret information?
I do crypto the airport (opening the barriers with my passport, where the computer in my passport signs a challenge encrypted with its pubkey) and do crypto with my phone (making a call, which is encrypted with Ericsson SNOW), and do crypto at the corner shop (using my card, same as the passport).
If airports, phones, and corner shops claimed they 'work in crypto' it would be similarly misleading.
Even Toly refers to himself as a distributed systems engineer, because building a blockchain involves more DS work than crypto work.
At the dawn of the search engine age I was in Japan, and so I spent some time not being able to learn about shitake mushrooms, as was a common western spelling at the time (they are not shi-ta-ke mushrooms, they are in fact shi-i-ta-ke mushrooms, hence the spelling change, even though we still pronounce them wrong).
You couldn’t say shit on the internet. I mean what the fuck.
It's funny, because in Old English ('Anglo-Saxon'), vowel and consonant length are both semantically important.
For those of you who want to have a better handle on the distinction, you can think of it as the sound having an extra 'beat', where a beat is the amount of time pronouncing that sound normally occupies.
It's easier if you take advantage of the one place English still distinguishes this: word boundaries.
Listen how you say, for example: Tibetan nitwit (you're holding the 'n' for two beats because your brain treats the distinction as important /when it's at a word boundary). You can do this with vowels too as an exercise, though they're a bit harder because English has a lot of vowels and finding good matches is a bit difficult.
I run a business called Keygen [^0], and own the @keygen namespace on npm. We’re working on a Node SDK, so this isn’t good to hear. I’ll open up a discussion with them and see what we can do.
Sure no one will be able to install the app from the CLI (unless there is a bug in npm’s parsing logic) but you should be fine distributing hyperlinks to skim-readers ;)
Have you had any publishing issues? My last successful publish on this package was 3 months ago, and I started noticing issues with deploys a few weeks back.
Three fun days of CI/CD pipeline debugging to get to this..
unrelated to your question: Your website's very pretty, but doesn't scroll horizontally on mobile. It also looks like there might be a bug in the code sample - where does "fingerprint" come from?
Why would you want to scroll horizontally? Or are you referring to the code samples? It's only a code "sample" (i.e. non-working just to show off the platform), so fingerprint would likely come from something like https://github.com/denisbrodbeck/machineid. Full examples are available in the Go SDK docs [^0].
The functionality makes sense given this response. The code sample is not fully viewable without a horizontal scroll; it's cut off about 20 columns in. It's as if you're presenting 2/3 of your website, but not allowing the user to see anything else.
Nice to see an alternative to FlexLM. That package was the bane of my existence when we had a bazillion RS/6000s running AIX. And when I worked at Borland, I campaigned (unsuccessfully) against its use.
The solution is to examine all words that contain that substring and explicitly whitelist them.
Nowadays though, we have a different Scunthorpe problem. I call it the "Hidden Garfield" problem, because that phrase is detected as a racial slur after you run Double Metaphone on it and throw out spaces.
That would be terrible, because if someone owns the @express namespace that isn't express team (not gonna happen, just illustrating why this idea is bad), then goodbye all `express-*` packages.
Thanks. That shader doesn't seem to play nicely with some GPUs and I'm still working on edge cases. If possible, could you look at your console logs and email me your specs? They should be logged. Email is in bio. It should be doing automatic categorization of the GPU to determine render quality, but maybe something's still incorrect there.
With all due respect, this is possibly the dumbest rebuttal I've heard. Why do I need a powerful GPU or even need my GPU to waste compute cycles just to view a webpage?
Just get rid of it entirely. The visual flair is not adding any value. It's a performance drag, highly distracting, and serves no useful purpose whatsoever. This "trend" in modern web design is truly infuriating.
Wasn't expecting so much candid feedback today. There was a Launch HN yesterday that had a 3D rubik's cube on their home page. It was literally pointless. But kind of neat. But you probably hated that as well, if I could assume. But I say that to point out that lots of companies do it, sometimes simply because we can (just look at Stripe and GitHub).
I think the lava lamp effect is cool. The perf issues can and will be fixed.
I appreciate you engaging with commenters on this, it’s nice to see.
From my perspective I agree with a lot of the other commenters - it’s just design for design’s sake. It’s an expensive way to add minor visual flair that heavily degrades the experience for a sizeable number of users. In terms of value provided to the user: it’s basically zero, or often worse than zero.
Personally, it feels over-designed, which the stretched font for the headings really reinforces. I’d drop the shader, re-evaluate your font choice for the headings, and focus on layout and readability a little more - using the site on my iPhone feels really cramped and like the whole page is getting cut off on the right-hand side constantly. I can’t scroll horizontally to see the rest of the code, for example.
I do like the little text-flicker/flipboard animation on the “keygen” logo though. That looks clean and well-suited to the theme of the site.
I spent weeks on the typography and on choosing a font. Went through so many different styles. I ended up on Owners by MCKL [^0] because I personally like the ultra-wide font trend, and I liked its Text variant as well. Bummed to hear that others aren't a fan of it. Oh well, design is pretty subjective.
And it may be over-designed. It was my first foray back into design since switching careers to programming about 10 years ago. Maybe I took it a bit too far? Felt good to stretch those muscles, though. :)
It didn't quite register as a "display" font variant usually does for me either -- the only feature is the width (it's a nonfancy sans-serif, what do you expect) so it somehow just feels like it's been squished. Intellectually I know it's definitely not a simple scale-transformation and must have involved some curve work to make it look less off, but I just can't shake the feeling of having seen text getting run over by a truck.
I went and found that Launch HN, and yeah, that rubik's cube is horrendous on my computer. They did not do as much effort as you did to make it work on low end machines. I don't have a GPU at all; your site disables the background effect but their site shows the cube anyway. Their site drags once that rubik's cube appears, and the cube itself animates at 1-2 fps. It's a very poor experience and I don't really see what the cube adds, but I do see what the cube subtracts.
(Your site works fine on my computer. The effect is disabled and it's not a problem.)
I'm sorry, but what should just. be a _progressive enhancement_ in this case completely ruins the user experience for me. However, I'm probably not your target audience, I'm just commenting on this trend in general.
It literally is a progressive enhancement, so I'm not sure what your point is.
There's clearly bugs where it's enabled where it shouldn't be, and that's certainly an issue, but the comments here make it clear that it gets disabled automatically on lower-end devices.
So I took a look at the actual shader, and it really should not require anything powerful (decade old, worst-you-can-get hardware might struggle). A much more likely explanation (that the gp is alluding to but didn't explicitly say) is that the issue is related to your GPU drivers or related software. These are often buggy and/or hit a slow path for whatever reason. This is almost guaranteed to happen for some browser/os/hardware/driver combo (of which there are _many_) and you seem to have drawn today's short stick.
The animation itself looks fine, its slow enough that it doesn't feel distracting. Just a bit of flavor.
Its mostly just a few calls to a cheap noise function and no footguns I can see. Also hurrah for dev tools and open text formats! If you're looking for better performance, it looks like the noise could be precomputed (the same blob always gets the same noise)". Might be faster, might just hit more bugs.
That’s just your opinion, man. I checked the site on iPhone and would say that it’s better than 80% of the sites I see. No performance issues at all. The extra wide font I don’t like however.
The pixel shader is cool, but consumes too much resources. On my 1080Ti, uses about 20% of GPU to render, which is too expensive for such a simple graphics.
I’ve looked at the source, and it seems you’re doing too much computations there. Metaballs are usually rather simple, and they don’t require any trigonometric functions. Compute something like `sum( ball.z / length( pixel - ball.xy ) )` and apply the threshold. If you want anti-aliasing, use fwidth() for the screen-space partial derivative of that value after the loop, compute two thresholds around the iso-value, then smoothstep() instead of a hard threshold.
Also, consider moving the ball parameters (center and size) into a constant buffer and update them on CPU. Because there’s just a few balls, JavaScript is good enough for the job. Your current version computes these things from time for each pixel for each frame. There’re about 8 megapixels on my display, so these computation costs are escalating very quickly.
FWIW, my laptop is a relatively beefy 2021 model (granted, with integrated GPU). For a business that's not about 3D rendering, spending an innovation token on making sure your landing page can have a smooth background animation seems like it's playing on hard mode.
The entire lava lamp effect is a shader, not just the bokeh. :)
I haven't noticed any drop in registrations, conversions, or any noticeable differences in traffic patterns after launching the redesign, so I'm not sure if this is actually happening. Though it's a valid concern and issue, and I do want to fix it. And I appreciate all the reports. I think it may be a retina resolution issue, but could be wrong.
On launch day, everyone loved the effect (it goes along with the new logo) and only a couple people said it performed badly, but they were on exotic devices.
I may have caused this a few days ago when I enabled rendering at retina resolution for tier 3 devices. What I wasn't expecting was so many tier 3 devices that aren't really what I'd consider "tier 3." I was expecting all tier 3 devices to be gaming-level GPUs.
I guess I should have read the source [^0] more closely and I could've avoid this.
Another danger here is testing with the website being the only thing on the PC: some people use their computers like that but many others will have many different things open at once: just because it can run at an acceptable FPS on the detected hardware doesn't mean the resource use is acceptable on a system which is multitasking. I usually have >100 tabs in my browser and at least 20 of which are loaded: they cannot all demand what your site demands, even though the hardware is quite high-end.
How many tabs are simultaneously visible? An animation in a non-selected tab won't get much in the way of resources, so the number of loaded tabs shouldn't be a big factor.
> What I wasn't expecting was so many tier 3 devices that aren't really what I'd consider "tier 3." I was expecting all tier 3 devices to be gaming-level GPUs.
Could be the detection of GPUs doesn't work correctly? My nVidia 1080Ti is detected as nVidia 980Ti, and a sibling comment mentions an integrated laptop GPU being detected as tier 3 with isMobile=false.
When you emailed me about this a few weeks ago I played around a bit with the shader, and just creating fewer blobs made the problem go away (reducing "for (int i = 0; i < 15; i += 1) {" to 5 in the "void main"), but I didn't really have the time to investigate in-depth or see what kind of visual effects that would give (dealing with this minified JS isn't exactly fun and I never worked with OpenGL shaders either), but just FYI.
Good to hear it's not just me though (and the effects also aren't disabled for me either).
Yeah, as long as we're focused on the really important things. Like animations that nobody actually needs or wants (apart from the person putting it there). That is, of course, until it ruins the user experience by bogging down the browser. And then, sure, let's debug that and make sure it runs on everyone's browser/os/cpu/gpu combo. That's a brilliant use of time.
Until someone turns up with a new combo where it doesn't work. Because judging by the comments, this seems to be a janky piece of code that isn't well understood.
"Turn it off" (or rather, "rip it out, and throw it away" is good advice. If there is even a slight chance this might come back to haunt you and screw the user experience, it isn't worth it. If your animation is more important than avoiding a horrible user experience, well, that's kind of useful for your customers I suppose.
Interesting. I wonder if this is a retina display issue. I just pushed out a change that renders the shader at standard resolution even if the device has a retina display. I don't have a retina display on any of my devices except a 2019 MBA and it renders fine on it. I wonder why.
I'm questioning whether or not I should continue into the realm of gamedev... the amount of "works on my igpu from 2015 in low power mode" and "stutters on my rtx 4070 ti" here is making me laugh out loud.
What do you mean by this? I wrote the shader because gamedev is an interest of mine, and I wanted to give writing a fragment shader a try for the redesign.
Because it's not bad enough to be a red flag but it does make me wary of the company's priorities. You used a complicated shader to make a scroll bar that doesn't scroll, which may as well have been a static background image, and half-visible janky blobs in the background I thought at first were eye floaters. The crushed font looks like a rendering error and the e's and s's looking identical made me stare at the word "businesses" because I swore it was misspelled. I do have to say the color scheme is gorgeous though.
+1 the website is borderline unusable on my work laptop. I have an M1 Pro in my standard MacBook Pro 2021. I am using the latest version Chrome and this animation causes a huge performance regression on my computer when it's visible.
Keyword moderation feels like an unspirited attempt by developers to satisfy incompetent managers telling them to get other incompetent managers, upset about piracy, off their backs. I don't believe anyone involved actually thinks this will make a difference. It's just to address a complaint.
That's almost certainly the case. "What can we do that has an observable effect we can demonstrate as us being responsive, but doesn't have a significant cost [to ourselves]".
It's the same as any other "this shouldn't be done, but a manager asks me to do it". If you aren't ready to die on that hill as I would, then there is nothing you can do. I'd easily take that fight but that's coming from a very privileged position (i.e., I'd not risk not having food on the table if I said no when a manager asked me to add keyword moderation or a dark-pattern cookie banner).
keyword moderation is terrible and only affects the language(s) you know about. It doesn't actually prevent the content (the goal of these types of filters) from being served. It'd be like a virus scanner preventing a program from running because it had the name 'virus' in it ... which would prevent itself from running -- probably.
My favorite is the online name censoring in video games. Dark Souls infamously just does a straight check of any string match within the name against a big list of no-no words. So in this fantasy game where everyone is running around as a knight, anyone who has "knight" in their game will appear as "k***ht" to other players.
There's also a famous image I've seen online from another game where the guy's name was Nasser which appeared for everyone else in-game as "N***er"
I remember a conversation with some using an in-house file transfer system “Oh you won’t be able to send more than X GBytes, at that point the chances that the base64 encoding contains a banned rude word become too high, and the transfer will fail”
Maybe it's time to convert base64 to high UTF8-areas. I guess there won't be any keyword-filter yet for ancient egyptian hieroglyphs. I'm curious whether there are already emoji-filters...
Just use a r-ANS entropy coder with feedback skipping symbols that would result in a ban from being possible to encode at that moment... I think.
Unless I've gotten confused about the limits of dynamic prediction abilities in ANS.
I think it's just that the encoder and decoder run in opposite directions through the encoded symbols, but read-ahead during decoding shouldn't be a problem...
My favorite is Fark's word-changing filters and their unintended side effects. The no-no words are scanned across whitespace and reversed, and any hits get translated to the approved word. "Shit" becomes "Shiat", the N word becomes "nubian", etc
Every so often someone will find their sentence that contains something like "I will have ham or egg in my sandwich" becomes "I will have ham onaibun my sandwich"
Reminds me of Yahoo's botched e-mail filter in the early 2000s, when in an attempt to prevent Javascript exploits they automatically replaced all occurrences of a few script-related keywords with alternative terms – even in the text body of a mail and without regards to word boundaries. "eval" got replaced by "review", leading to such words as "medireview" (medieval), "reviewuation" (evaluation), "rereviewuation" (reevaluation), "prreviewent" (prevalent) and suchlike.
If you search for some of those terms, you can still find traces of them across the internet and even in some published scientific papers.
It makes sense for Dark Souls games because multiplayer is a lot less optional. Player names will appear in your game, and turning this feature off really hurts the experience.
Their hamfisted approach leaves a lot to be desired. I have a feeling it is a product of being designed and implemented by non-native English speakers.
> My favorite is the online name censoring in video games.
I don't know what the filters are like in EverQuest nowadays [1], but back in 2000 EQ didn't allow "cock" in chat. Then in April 2000 the expansion "The Ruins of Kunark" came and some of the zones that pretty much everyone making their first trips to Kunark would visit contained a variety of hostile cockatrices, and the chat filter would not let you mention them because of the "cock" at the start of their names.
I once had occasion to implement a chat system for a small online gaming service and was supposed to filter out bad language. What I did was something like this:
1. Split the message into words.
2. For each word that is in /usr/share/dict/words or our own list of good words and is not on our bad words list, mark each character in that word as being good.
3. Concatenate all the words.
4. Find all places where words from the bad list appear as substrings of that concatenated string.
5. For any such bad words in the concatenated string mask the corresponding characters in the original message with asterisks unless all of the bad word's characters in the concatenated string are marked as good.
For example the word "cockatrice" would have been uncensored even if "cock" was on our bad list because "cockatrice" is in /usr/share/dict/words and would not have been on the bad list. On the other hand "cocksucker" would have had the "cock" masked.
If someone had tried to slip "cocksucker" by by inserting spaces such as "c o c k s u c k e r" the "cock" part would have still been masked, because the "c o c k" would have ended up as "cock" in the concatenated string, and not marked as good.
Note that you would have been able to call someone a "peacock sucker" just fine, because "peacock" is in /usr/share/dict/words. Misspell that as "peecock sucker" though and then the "cock" part would have been masked.
I was fine with that. I figured it encouraged good spelling among those who want to insult others. :-)
(There was a little more, such as dealing with tricks like using 3 for e or \/\/ for w but those aren't really relevant to the general idea).
[1] Yes, EQ is still around...and with the changes it has undergone over the years it is actually a pretty nice solo or small group game even on a free play account, especially if you have an old account to reactive so you get veteran rewards. Here's a description of some of the major changes [2]. When I returned to EQ a few years ago, I had no trouble playing a solo Bard to around level 60 on free play. Things got a bit slow then and I switched to paid. I then made reasonable progress up until I had finally satisfied my
> keyword moderation is terrible and only affects the language(s) you know about.
It doesn't seem that hard for npm to review lists of the most common keyword searches and identify the ones strongly associated with piracy (or other things negative for their business).
I agree, though, that keyword moderation is pretty terrible. It might work from npm's perspective, in that it might be annoying enough to pirates that they'll find some more convenient place to upload/download. I don't think it will have any overall impact on privacy though.
I love keyword moderation. I love finding ways to demonstrate to those using it that it's futile by using only non-offensive words to thoroughly offend people. I was given a talking-to by a game administrator once for naming a match "Your granny rides my throbbing purple rod." It didn't contain any no-no words, though!
Author here, with some context: the relevant package [1] generates key material to setup an end-to-end encryption SDK [2], based on libsodium and OPAQUE.
Oh. As the creator and reluctant maintainer of npm's "ssh-keygen", this is awkward!
First question: does this mean I won't be able to publish patches to the package?
Why do I not want this package under my control? The original package simply calls spawn for your real `ssh-keygen` with the appropriate arguments. No real problem, (although there is very little value here). But a contributor added support for Windows by uploading opaque binary builds for Windows. While I have no reason to distrust the contributor, it is scary to be "responsible" for opaque executables that I did not personally produce.
So, what should I do with this package? Assuming npm lets me do anything?
Fortunately this package is "only" downloaded ~1600 times/week, miniscule for npm. If you are tempted to use ssh-keygen, I recommend you learn how to use execFile/spawn, and use the native program directly.
For context, I published this 10 years ago, as one of my earliest contributions to open source. I probably wouldn't have gone near any security-essential contributions if I had more experience at the time.
Piracy. Programs that generate activation codes for proprietary software are called keygens. They usually come with interesting musical accompaniments.
Back in the day, paid software used to use serial keys for activation. Keygens made valid reg keys using the same algorithm so you could pirate software easily.
"Keygens" are programs that generate valid product keys in order to crack software copyright protection. Under the DMCA or similar laws in many other countries, they are illegal to use, create, or distribute.
Every time npm comes up I remind everybody that npm is shit, and nobody should use it. They have a bad track record of doing things right and bad attitude when told.
But you keep using it.
I refuse to use it at work and refuse to use it in personal life. It’s not real software and will cause you harm.
Fun fact. Several years ago I started getting charges from NPM, which although I am a software developer I have never used. I cancelled my credit card multiple times, but they kept appearing each month.
I went to my bank, Bank of America, and they claimed that there was nothing they could do because NPM was using some sort of option they had to follow me when I got new credit cards. I don't know what kind of option that is, as every time I get a new credit card I have to update it with literally every other company. I also don't know how a bank wouldn't have some sort of manual override. Nevertheless, I called NPM, who said I had to talk with my bank. Eventually, after months of dealing with this loop, I threatened to leave my bank, and my bank advised me to call them and threaten to get the BBB involved if they didn't fix it, and a few days later NPM admitted it was an error on their end and reversed all of the charges.
To this day I wonder what kind of shady thing NPM was doing to not just charge someone who had never been a customer of theirs, but to follow them across cancelled credit cards.
Ok, I'll bite. There is no way a merchant can learn a new card number other than from the cardholder, or from a thief who got it from the card/cardholder. Not from any upstanding entity.
If you merely got a new expiration date, security code, etc. without also changing the card number, they could "follow" that by submitting a transaction without those extra pieces of information, at greater cost and risk to themselves, though.
I'll happily take downvotes if I'm wrong, for being assertive without a source.
Are you sure NPM was actually charging your card directly, and not a digital wallet or similar virtual card thing which you kept active?
Some banks have a service where if you use your card for ongoing regular payments and the card is replaced for any reason, the bank will allow those regular charges to continue on the new card when the service provider uses the old number.
It's very convenient if that's what you want -- it means you don't have to go to all of the ongoing services to update your card immediately. But it does mean that you can't count on changing a card to stop unwanted ongoing charges.
I recently replaced a card at my bank, and they offered this as an opt-in service (which I opted in to), but I hear that some banks make it opt-out, instead.
Ah. So in that case, NPM is not learning a new card number, and probably isn't even aware of anything at all, given that the card issuer is simply accepting transactions (instead of declining them as this person expected) on the old card number.
NPM was in the wrong for continuing to place unwanted transactions, but they were not actively participating in this "follow" scheme so the blame stops short of that.
The way the update services is work is that you send them the card type, card number, and expiration date of a card you have on file, and they respond typically with one of these four responses:
1. Still good.
2. The account is closed.
3. The card is still good but has a new expiration date, which is YYMM.
4. The account has a new card. The card number is XXXXXXXXXXXXXXXX and the expiration date is YYMM.
Oh, ok. Still doesn't feel right blaming the merchant for utilizing #4 in exactly the intended manner.
The existence of #4 seems odd though. If someone just wanted different card perks they could do a "product change" which I believe retains the same number anyway, so a new number should only occur if the old number was reported stolen, in which case why provide the new number to the potential thief?
The update service is only available to merchants, and even then I believe there is extra vetting beyond simply being allowed to accept credit card payments. The intersection of that set and the set of credit card thieves is small.
For a typical user who has their card stolen it will go something like this. Fraudulent charges start appearing on their card, which is when they realize their card number has been stolen. The bank issues them a new card, makes sure the fraudulent charges get refunded, and invalidates the old card so the thieves won't be able to put new charges on it.
Without the updater service the user would have to deal with contacting every place they have subscriptions and update their on file card to avoid having their services disrupted.
With the updater service many or most of those will update automatically.
If the thieves used the card to buy some subscriptions, and those are from merchants who are able to use the update services, then those services may get the new number so the user might have to contact them to cancel.
For most people in that case though the number of subscriptions they legitimately have will be much less than the number of subscriptions that the credit card thieves purchased on the user's stolen card.
"Stripe works with card networks and automatically attempts to update saved card details whenever a customer receives a new card (for example, replacing an expired card or one that was reported lost or stolen)."
I was as shocked as you, and was absolutely infuriated over the bank telling me that they couldn't manually override whatever was going on. I can assure you it was a real thing that happened, and I did cancel my credit card and get a new number, if I remember I tried that at least twice.
I found the email from NPM when they fixed it, though in the email they still claim that my card details were stolen and it should be closed, ignoring that I had done that multiple times already. The email is below. Apparently there were 28 charges, so it must have been around 2 years that this was ongoing, I was dealing with some major issues at that time so I had to put it on the backburner for that time.
As far as digital wallets and virtual cards, I have none of those things. I may be a programmer, but I haven't gone techy with my finances, I just have a checking account and a credit card, and this charge kept appearing on my credit card across at least two card cancellations. Having said that, I have no idea what would happen if a fraudulent digital wallet or virtual card was set up that I was unaware of. The issue did start in 2015 though, so I'm not sure if those even existed back then.
Email from <Redacted>@npmjs.com:
"We've completed the investigation into the charges we believe linked to your card ending in [Redacted]. We've refunded each individual charge for a total of $196 (28 refunds at $7/each). You should see those credited back to your account within a few business days.
We've canceled the subscription the charges were linked to, and removed the billing details. That said, we'd still encourage you to notify your bank that the card information was stolen and that the card should be closed.
Thanks for your patience while we worked through this on our end. I understand it wasn't ideal and even frustrating at times. I'm sorry for that.
Please let us know if there is anything else we can do for you. We’ll be here to help."
That sounds completely different. Blocking the word 'keygen' accomplishes absolutely nothing and is clearly stupid. Blocking build scripts absolutely stops a major attack vector.
Malicious unchecked code in postinstall can just be moved to runtime so blanket blocking postinstall is as effective a solution to supply chain attacks as the solution of blocking npm packages with the word "keygen" in them is to the problem of .... js based keygens???
There are many legitimate purposes for postinstall scripts yet the anti-postinstall crowd acts like they solved security issues with this one easy step.
Runtime can be anything from browser to quickjs to Node in a docker. In many such cases the only time code runs on your dev machine completely unsandboxed is install scripts.
Yes it is good to never install malicious NPM packages anyway but if you develop for any of those runtimes and you do not bother to check dep tree the anti install script crowd saved your ass.
So a completely different scenario? Let's assume for a moment that developers only ever 'build' or 'check' their code, but all actual runtime behavior is in production. In production we have toooooons of security tooling for monitoring and constraining program behavior. On dev computers? Basically nothing.
Of course, developers run `test` as well, and sometimes they run the whole program but these use cases, especially at companies, are increasingly moving to CI.
Not running your tests locally to make sure stuff actually compiles/works before commiting to the repo and blowing up everyone else is a great way to piss off your QA group.
Please, make sure it runs locally first. CI often costs $$$, and when you nab a QA for debugging support, nothing irritates more than the answer "Well, no..." to the question "Did you even compile/run this?"
> Not running your tests locally to make sure stuff actually compiles/works before commiting to the repo and blowing up everyone else is a great way to piss off your QA group.
I can't square this circle of someone being paranoid about postinstall script but at the same time thinks the first chance to review dependency code is after doing a `npm i`.
Check the git repo of the library you are installing beforehand if you're so paranoid about postinstall.
And above that, never install any library for which the source is not readily available. This is the most basic first line of defense.
> Check the git repo of the library you are installing beforehand if you're so paranoid about postinstall.
> And above that, never install any library for which the source is not readily available.
Whether source is available or not is mostly irrelevant when you're potentially dealing with malicious code, you need to review artifacts that are being fetched from NPM since those can differ from source code on Github.
Attackers aren't going to announce their malicious code through meaningful git commit messages in a prominently displayed GitHub repository. They will make innocent-looking commits on Github, then publish a new version containing a single additional line of malicious code on NPM.
> ...NPM since those can differ from source code on Github.
True. How about people act their threat model? Instead of removing a feature for many users, just do whatever you need to do to be sure you're safe yourself?
In what other major situation is the solution to nuke a feature due to security concerns?
Afaik the main conversation about postinstall is around leeches complaining about political messages in their console and one or two other incidents
> Blocking the word 'keygen' accomplishes absolutely nothing and is clearly stupid.
The intent is almost certainly to stop a spam campaign which was using NPM package pages to host links to outside sites. Similar pages have been discussed on HN previously [1].
The fact that there was actual installable software involved was irrelevant to the attacker. All they were after was a way to put their content on a high-reputation domain -- and NPM was perfect for that.
That script also does more than just Online KMS activation, which would be clear from a few seconds skimming.
There's also been no indication that any of these repos would get taken down. At all. py-kms has been there since 2017. You'd think if Microsoft had such a big problem with its existence, it'd have gotten pulled in the last 6 years.
There’s several KMS-based activation scripts and servers on GitHub. Did you even take a second to do the briefest of checks before saying that so confidently?
Okay but what about keygen for ssh/git/pgp/certs or really anything in software that relates to security, which fundamentally rely on, at some point, the generation of encryption keys? It’s just such a dumb counterproductive step to take.
I'm assuming keygen must not be part of the package name specifically, right? Because keygen can be part of contained JS content without probs, as the sgml package is demonstrating (containing the legacy keygen element as part of its embedded HTML DTD grammar).
But I'm still curious why keygen would be problematic as part of a package name?
But no. Just a few years ago I tried to enter an answer into a Hungarian Q&A site recommending to take the Algeciras-Tangier ferry and the answer was refused. https://en.wiktionary.org/wiki/geci