Skip to content


Links for 2018-11-29

  • Presto Performance for Ad Hoc Workloads on AWS Instance Types

    good benchmark/review of instance types from Qubole

    (tags: qubole presto performance benchmarks ops aws instances ec2)

  • Party Parrot as a Service

    Enter an image URL and it’ll generate an animated GIF of the party parrot version

    (tags: party-parrot gifs funny slack emojis)

  • event-stream vulnerability explained – Zach Schneider

    This was an incredibly clever attack, very reminiscent of this blog post from January about how a similar attack might work. The attacker covered their tracks well — the code and commit log on GitHub all tell an innocuous and fairly common story (a new maintainer joins a project, adds a feature, and then tweaks the implementation of their feature a bit). Other than the warning signs about flatmap-stream (new package, no contributors or download activity), the attack was virtually undetectable. And indeed, it wasn’t discovered for over two months — it was only found because the attacker made a tiny mistake and used the deprecated crypto.createDecipher rather than crypto.createDecipheriv, which raised a suspicious deprecation warning in another library that consumes event-stream. Unfortunately, this genre of attack isn’t going away anytime soon. JavaScript is the most popular language right now and it’s not really close, meaning it will continue to be an attractive target for hackers. JavaScript also has relatively few standard-library convenience features compared to other languages, which encourages developers to import them from npm packages instead — this, along with other cultural factors, means that JavaScript projects tend to have massive dependency trees.
    (via Nelson)

    (tags: npm malware bitcoin security javascript event-stream flatmap-stream hacks)

Comments closed