Site Discussion

POLA Would Have Prevented the Event-Stream Incident

POLA Would Have Prevented the Event-Stream Incident by Kate Sills

The JavaScript world was rocked this week by news that the popular npm package event-stream included malicious code that attempted to steal the private keys of certain Bitcoin users.

Since the attack was discovered, both the JavaScript community and the cryptocurrency community have been passionately debating how to prevent such an attack. At Agoric, we think this attack was entirely preventable, and the answer is POLA, the Principle of Least Authority.

This npm / event-stream debacle is the perfect teaching moment for POLA (Principle of Least Authority), and for the need to support least authority for JavaScript libraries. My talk Securing EcmaScript, presentation to Node Security explained many of these issues prior to this particular incident.

For LtU, my best explanation of POLA is Verify What? Navigating the Attack Surface given to the "Formal Methods Meets JavaScript" workshop at Imperial College.

ADMIN: You NEED to set up HTTPS soon

Chromium has already started to report this site as "insecure" in its title bar.

Firefox will do in the next release, I think.

It's already a chore to even sign in because the browsers require extra confirmation for filling in forms (passwords) for anything non-HTTPS nowadays.

I have no idea about the hosting details of LtU, but good hosting providers already offer some sort of Let's Encrypt intregration these days, so please opt in to that, if you can. If you're self-hosting I think there should be a reasonably approachable solution to this issue. Feel free to contact me privately (you have my e-mail!) and I'll try to connect you with someone who knows exactly what to do.

EDIT: I had a brief look around for relevant admin email adresses on the site and didn't find any. Hence my post. (Plus formatting.)

Site migration

Update: The migration of LtU to new servers is complete.

If you notice any issues with the site, please post in this thread (if you can), or email me at antonvs8 at (gmail domain).

Original announcement appears below:

This evening (Sunday, US Eastern time), Lambda the Ultimate will be migrated to new servers.

The site will be offline for around 30 minutes, while this migration and some database maintenance is in progress.

The new platform is a shiny new Kubernetes cluster, which will enable some long-overdue improvements to the site in 2018.

An update will be posted in this thread once the migration is complete.

Markdown support?

Currently LtU offers the input options "Plain Text + HTML" and "HTML". I have grown to find them rather irritating for several reasons:

- having to manually use HTML escape codes for < and > makes some things almost unusable for me (this comes a lot in the current Frank discussion). It is painful to write, and painful to read back when editing a post.
- the syntax for inline code, namely <code>..&lt/code> is goofy and impractical in practice, compared to `...` in Markdown.
- other parts of the HTML syntax have less overhead, but still prevent me from using them more often: links and lists come to mind. (As I'm writing this, I realize that I am writing a textual list. I'll leave it as is for the example, although I would usually rewrite my posts in full <ul><li>...</li><li>...</li><ul> clad.)

(some form of) Markdown has gathered consensus among websites that expect user comments, for example Github and Reddit. I would be very happy if we could have a Markdown input option in LtU. Because it does "the right thing" with text by default, and also supports raw HTML fragments, I think this option should be the default.

P.S.: Ehud, in 2010 you were of the opinion that technical information on the website platform are off-topic, even in the "Site operations discussions" forum. Is it still the case? I started by looking for technical information on where the site's source could be found, to see if I could consider contributing Markdown support myself (or at least evaluate the effort that would be involved), but was unable to find any information. Would you consider sharing a bit of information on the site's internals to encourage people to lend a hand from times to times?

server life expectancy?

It looked like LtU was down a bit today at least. Anything we can do to help? Should we all throw money at somebody to get a revamped server or anything?

Exporting the database

I'm interested in playing around with ways to render large discussions, to see what is readable / easy to navigate. This is motivated by part in the 500-comment+ discussions that span indented posts across multiple pages. I've already hacked together something that parses the html on the site (Drupal generates really nicely structured html) and rebuilds the comment database, but it seemed a bit rude to spider the whole site.

My first question is do you mind people pulling off copies of the site to experiment with, maybe building a tool to render the site in a different format? Which may then lead to technical questions such as:

  • Is it possible to export the Drupal comment database in some way?
  • What format?
  • Can it export smaller slices, e.g. something like particular days?

When are Actors appropriate?

So there have been conversations about what is appropriate talk on LtU. Personally I am not offended by brusque commentary. On the other hand, while I respect Hewitt, I do think that the 'actors everywhere' thing has not gotten any better, only worse. I posted about process calculi and the first post was to railroad it towards actors, and sure enough enough people took the bait. :-(

I believe that conversations should be allowed to go off on to tangents e.g. talking about quantum. We all have subjective opinions like Justice Stewart about when it has gone from respectable tangent over into frankly trolling beavhiour, even if the troller doesn't do it to be a troll.

I'm asking everybody who is getting involved in each and every actor thread to please stop when they are on topics that did not in fact start out talking about actors. Personally I think it is OK if you go and start a new parallel topic where you draw the link and leave the conversation there. I do not need anybody to stop talking, I just would very much appreciate it if we could all try to see if we can keep the torrent of actor threads contained in their own places, so that other threads can live or die on their own.

(At the very least, realize that by forcing a thread to go onto 2 pages you have broken my ability to get to the new posts. Hardy har-har.)

Thanks for your support.

can we help with the db?

Seems like poor old LtU has been down a fair bit on and off of late. Is it something we can do much to address easily? Even if it is just/only via moral support? :-} Thanks for the effort of keeping the old blunderbuss that is Drupal reanimated when needed.

Paged topics

Is it just me, or is not the ui/ux of multi-page topics just not good? Could there be a way to fix it or to enforce things can't be bigger than one page, or can we all start teaching ourselves that we should start new pages or something?

When I go to the "recent posts" and see some posts on some topic, I click on the topic title (not the individual *'s new posts in the "recent posts" list) and then if they are on anything other than page 1 i can't find them.

LtU database problem

On posting a comment, I get:

user error: Incorrect key file for table './ltu/cache.MYI'; try to repair it
query: DELETE FROM cache WHERE expire != 0 AND expire 

The comment is posted, but the above sounds wrong.

XML feed