Node is fun, flashy and terrifying.

Edit: This morning I managed to get it all down to only 1 fixable vulnerability by setting:

? Set up unit tests: No
? Setup e2e tests with Nightwatch? No

Still, I think I’ll keep this on the dev-box until I’m reasonably certain I can control this beast.

Why not check out vuejs I thought… I’m new to all this server side JavaScript. But it sounds like fun, so lets see…

Hmmm… I just did an npm install fresh outta the box after installing some Vue.js prefabricated stuff ($ vue init webpack project_name) and my cmd spit out this:

added 1513 packages from 1798 contributors and audited 12011 packages in 33.859s. found 21 vulnerabilities (11 low, 1 moderate, 7 high, 2 critical) run "npm audit fix" to fix them, or "npm audit" for details

Neat!! 1513 packages! Wow. Thats a huge amount of Open Source spagetti. We are legion! We are NPM!!

These smart guys in the JS community, they have a command to fix vulnerabilities!

I don’t know how that would work, but I commend you brave anonymous programmer!

Wait… 2 Critical out-of-the-box security vulnerabilities? Ok, so npm audit fix it is… Now what?

fixed 0 of 21 vulnerabilities in 12011 scanned packages 4 package updates for 21 vulns involved breaking changes (use "npm audit fix --force" to install breaking changes; or do it by hand)

Umm, ok… npm audit then.

# Run npm install --save-dev nightwatch@1.0.6 to resolve 6 vulnerabilities SEMVER WARNING: Recommended action is a potentially breaking change

Meh. Breaking sheaking… lets do this!

npm install --save-dev karma@2.0.4

Six down, and only 15 vulnerabilities left…

npm install --save-dev url-loader@1.0.1

14… At this point the --force option is starting to look tempting. No. Can’t let the machine win on the dev box, this is my turf dammit!

I head over to the docs and see:

To address the vulnerability, you can

Check for mitigating factors
Update dependent packages if a fix exists
Fix the vulnerability
Open an issue in the package or dependent package issue tracker

Ok… lets try the first one. What does this say:

Affected versions of growl do not properly sanitize input prior to passing it into a shell command, allowing for arbitrary command execution.

What? arbitrary command execution?? No, no, fuck that. Jesus… I tried updating the package to the latest version. No fix.

So fix it myself? On my first day on the job?.. What the heck, lets see. The node page says …

1,217,161 downloads this week. Nope. I’m not up to that amount of crazy. Normal crazy maybe. But this is one million two hundred thousand crazies. Nope, nope. No.

Right. Maybe I try Rust next time. I hear the rust-todoMVC is lovely this time of the year.

node nodejs npm security npm audit panic at the dev box javascript vuejs

More you might like

Do you know where your towel is?
Happy Towel Day 2018!Here is some music to celebrate the occasion. — Do you know where your towel is?
Happy Towel Day 2018!
Here is some music to celebrate the occasion.

towel day Douglas Adams The Hitchhiker's Guide To The Galaxy May 25

Source: twitter.com net neutrality comcast lies more than the weatherman

Source: twitter.com infosec humour

914a3bcc2

ffactory:
“James Benning, List of Meanings; code used by Ted Kaczynski in his journals, originally written in the 1970s
”
Here it is in a convenient JS object.

Source: museum-joanneum.at js number code code cryptography Unabomber

phoxbox

How to (almost) instantly disable all 300 companies Tumblr wants to share your data with

canmom

If you’ve logged in to Tumblr in the last few days, you will have seen the GDPR warning, telling you Tumblr is part of the Oath family of sites, and requiring you to opt-in to their privacy settings.

You may not have realised that, in contravention of the GDPR rules which ban default opt-ins, if you don’t go into the ‘more options’ button and opt out of each individual sharing partner, Tumblr will share your data with a whole huge list of other companies. Like, 300 of them.

@the-mad-duchess has a post here describing how you can disable them.

If you’ve already opted in to the Oath privacy stuff, you need to go to your Settings page:

Click the Privacy button on the right:

Then, click the little button next to ‘Cookie Consent’ to revoke it.

After confirming you want to revoke consent, you will immediately be taken to that big privacy opt-in page again. From that point we follow the steps @the-mad-duchess described - first click ‘Manage Options’:

Then, click the blue ‘Manage’ button, and expand the two lists. You’ll see five kinds of data sharing, and like 300 different companies:

The first five you can click manually more easily than using javascript. That might be enough to opt out of any data sharing - but I want to be sure. So, let’s make sure we disable every single enabled partner as well.

However, clicking on 300 little buttons to opt out of is an absurd demand. There is, thankfully, a shortcut, using your browser’s developer tools.

What you want to do is open the web console. In Firefox, you do it like this: click the little menu in top right, then go down to where it says Web Developer:

Then, click the Web Console option:

This will open up the web console in the bottom of the screen. It will have a bunch of messages in it that you can ignore:

As shown, what we want to do is copy and paste some JavaScript code into this, then hit ‘enter’, which will make the browser simulate a mouseclick on every single one of these little buttons and thereby turn them all off. The code is this:

var rows = document.getElementsByClassName("vendor-options")[0].children;
for (var i = 0; i < rows.length; i++) {rows[i].lastChild.firstChild.click();}

If you’re not familiar with JavaScript, let me briefly explain what this is doing. The first line finds the part of the page with all the buttons in it - specifically, the rows in the table of vendors, which is identified by the “vendor-options”. The second line goes through each of them one by one, and for each row of the table, goes inside and finds the button, and simulates a click on it.

If it works correctly, you will abruptly scroll to the bottom of the page and all those little buttons will slide to the ‘greyed out’ position. Now you can go ahead and click Done, click the OK button, and carry on using Tumblr, trusting that if they keep their word, they won’t share your data with those 300 companies.

I’m gonna chat with the New XKit devs to see if this can be added (they may already be working on it). But I hope this saves you some time.

Note also - this is not actually compliant with the new GDPR laws. The rule is that you have to explicitly opt in to letting companies use your data, you can’t have a list of default opt-ins behind a button like this. At some point, somebody will hopefully sue Yahoo/Oath and establish that in court. In the meantime, let’s keep our data to ourselves.

pachanka

Cheezus fucking christ, this site must hate its users.

Source: canmom privacy tumblr

Source: twitter.com privacy humour GDPR law

gif i made a thing chat tumblr font tumblr

ecstaticsec

hackingarticles.in

Multiple Ways to Get root through Writable File

In Linux everything is a file, including directories and devices that have permissions to allow or restricted three operations i.e. read/write/execute. When admin set permission for any file, he should be aware of Linux users to whom he is going allow or restrict all three permissions. In this article, we are going to discuss Linux... Continue reading →

pachanka

Copy /bin/sh inside /tmp

😨

The horror security linux privilege escalation

decodering

sqreen.io

The HTML & CSS Security Checklist | Sqreen

Learn how to improve the security of your HTML and CSS by following this HTML & CSS security checklist.

decodering

Security is hard. Every developer needs to write some HTML/CSS at some point. Some of us might think that HTML and CSS can’t really be an attack vector. But modern web technologies bring them wide capabilities that can also be used for malicious purposes. This checklist aims to help developers learn security best practices and avoid vulnerabilities. Every item of the checklist are sorted by category to make it more usable.

pachanka

Not as obvious as you might think.

html web dev security

My fortune today

This product is meant for educational purposes only. Any resemblance to real persons, living or dead is purely coincidental. Void where prohibited. Some assembly may be required. Batteries not included. Contents may settle during shipment. Use only as directed. May be too intense for some viewers. If condition persists, consult your physician. No user-serviceable parts inside. Breaking seal constitutes acceptance of agreement. Not responsible for direct, indirect, incidental or consequential damages resulting from any defect, error or failure to perform. Slippery when wet. For office use only. Substantial penalty for early withdrawal. Do not write below this line. Your cancelled check is your receipt. Avoid contact with skin. Employees and their families are not eligible. Beware of dog. Driver does not carry cash. Limited timeoffer, call now to insure prompt delivery. Use only in well-ventilated area. Keep away from fire or flame. Some equipment shown is optional. Price does not include taxes, dealer prep, or delivery. Penalty for private use. Call toll free before digging. Some of the trademarks mentioned in this product appear for identification purposes only. All models over 18 years of age. Do not use while operating a motor vehicle or heavy equipment. Postage will be paid by addressee. Apply only to affected area. One size fits all. Many suitcases look alike. Edited for television. No solicitors. Reproduction strictly prohibited. Restaurant package, not for resale. Objects in mirror are closer than they appear. Decision of judges is final. This supersedes all previous notices. No other warranty expressed or implied.

this is going to be a rough week fortune linux

daily-klingon

Plans For July

I have plans for the month of July. Watch this blog.

plans

See, that’s what the app is perfect for.