Posts by Jamie Jones

Re: botnet

This isn't about using third party libraries, it's about loading/updating them from a server out of your conttol, into your live software.

What is live? Errm what? How is that debatable? Production code, in use, with real data - as opposed to code in development on someones local computer which no-one else is accessing except maybe other people on the development team.

It's an easy line. Host your software. Don't be in a situation where your live (sorry, production/in use) code can be altered by someone else outside your team.

As for 3rd party libraries, I'll happily update packages on my personal machines, after reading changelogs, and if something breaks, I'll try and sort it out, but you can be bloody sure I won't update dependencies on live server code in such a cavalier way, and ESPECIALLY not in an automated way.

This is nothing unusual. It's standard practice, but more, it's common sense. At my last job, 1000's of people in the company used my teams software that ran on internal servers. We all liked our jobs too much to allow random people in the world to alter our live (running) code at will.

The fact this distinction isn't obvious to you leads me to believe you are of the younger generation that is responsible for this mess.

I don't look forward to the future when all us grey beards have retired, and new software is required for new traffic lights/hospital equipment/nuclear power systems/autonomous cars...

Re: botnet

"And NPM differs from PyPI how, exactly?"

No idea. So, just as well I wasn't replying about python, in an article about Pypi, isn't it?

(Substitute similar response for any other whataboutism you care to respond with)

Re: botnet

My mistake - this particular module is for node.js only, not the browser, so it's serverside js. affecting the server not the client.

The whole issue is the same though - whether it's servers auto updating/pulling in packages from 3rd party sites, or client run javascript instructing browsers to load 3rd party javascript.

Re: Any sanctions?

No, nothing to do with the browser, this is all server-side javascript. It's the servers that would be comprimised in this case, see my other post above this one.

Re: Any sanctions?

This is a node.js NPM package. I.E. This is serverside jacascript, not browser javascript.

NPM is "Node Package Manager", like apt, or pkg or deb etc.

The attacked computer would be the server running the application. The basic problem is the package manager has rhe ability to auto-update dependencies, and most people seem to usr it that way, so the changed files are loaded into someones server application.

Do npm packages work in browser or only in Node.js

Node Package Manager Guide: Install npm + Use Commands & Modules

Maybe Automatically Updating Dependencies Isn’t a Great Idea

Re: Buttery males - use your own server

Your post would make sense, but... BENGHAZI!

Re: 2FA problem

I've had that, it's a pain in the arse, but PayPal reset it after a quick phone call. To be honest, it was too stupidly easily reset.

Also, am I the only one who dares leave their phone at home? I wanted to do something when visiting my mum, but as my phone isn't surgically attached to me Amazon missed out on that order.

Don't get me started on trying to do grocery home deliveries online for my mum, who dares to have a bank account and credit card, but no mobile phone...

Re: What about IPv4?

Wtong. It was said that NAT would no longer be NEEDED, which is not the same thing.

NAT for Ipv6 exists. Both via the analogous NAT66, and the better NPTv6

(There is also NAT64 for NAT related ipv4 <-> ipv6 translation)

If they had just "increased the address space", people would be howling about how there's this whole new protocol to implement, and it doesn't address any of the IPv4 inefficiencies.

Just about everything in IPv4 can be done in IPv6 (even when better methods exist)

The only thing I can think of that doesn't exist in IPv6 is arp/rarp - IPv6 uses local multicast rather than local broadcast, but the result is the same.

Re: Part of the problem

*la la la* can't hear you

Re: Bring Back Telnet (or VT100/ansi via SSH)

I still use "w3m" a lot of the time for browsing.

I do everything that doesn't require graphics in a terminal window.

I bet there are many of us grey beards here!

Re: Watching the numbers tick by

I seem to recall that each line of data (once decoded from the broadcast signal) started with the line number of the line - it meant that they could update 1 or 2 lines without having to send a full page, or if a page was mostly empty, they could just transmit the required lines preceded by a "clear screen" code.

[ this was useful for newsflash and subtitles ]

If the signal was dodgy, you could get lines appearing at the wrong position. Also, if a "clear screen" code was missed, you could get the next few lines that could be decoded appear as corruption over what was on the screen previously. And the main one was if the "switch to graphics character set" code was wrongly interpreted, the rest of the line could appear completely corrupted (each new line default to the normal character set until the alternate set was selected)

As an aside, the page number consisted of the first digit (whose name I forget, but it was something along the lines of a "magazine set number") - followed by a 2 digit hex number. (i.e. an 8 bit byte)

Effectively, the 2nd and 3rd digit was binary-coded-decimal, but Oracle did transmit pages not for direct public consumption using hex letters.

The display could be set by the broadcaster so that any pages outside the "magazine set number" you had selected would not appear in the updating first line.

This made it look cleaner when more than one "magazine sets" were multiplexed together from different sources... (oracle / tvam on itv, and oracle / 4-tel (?) on ch4)

I seem to remember a full whole page took less than 1K

Don't be so obtuse - there is a huge difference between registering on a site you are purchasing good from, and being tracked by cookies for no reason when you are browsing a site anonymously.

No-one has suggested that Amazon should randomly send goods out to unauthenticated visitors.

I don't remember the sequences, but with BT there was a digit sequence to enable it, a sequence to disable it, and a prefix sequence you could put before a number to disable it on a per-call basis.

No adaptor needed, but for many people with only one phone line, the reason not to disable call-waiting wasn't a technical one!

And before you say "Disable it", for me at least, I was only allowed to do 8+ hour online sessions if I kept call-waiting on, in case someone needed to contact my parents!

Unfortunately, I was stupid enough to mention this to friends who took great delight in kicking me offline whenever I was in IRC....

I used to crack all the games to remove the codesheets, "speedlock" etc

It made me popular with the gamers in school!

By the way, "speedlock" used many layers of protection. Each time you peeled off one layer, there was a sarcastic message embedded in the code from the author!