How many production servers have you been responsible for in your lifetime?
"There is no difference to running an executable. "
... There are these following differences.
1. That url, assuming no malicious 3rd-party/nation-state is spoofing the response, could return any different version of the installer resource at any given time.
2. That url might not always be available, for any number of reasons, and how is someone who wants to "discover" this software when they are looking through their available package list?
3. Who knows what that url is "suppose to do" ... there is no signing process, peer review process, nothing, you get whatever the apache server on the other side of that HTTP request wants to give you, and your gonna send that right into your root shell...
4. Unlike a package, sitting in my personal safe, self host, audited, self-verified debian package repository mirror ... this URL might not work tomorrow, it might not work at 3:35am when my primary server took a shit and i need to rebuild the whole stack... who knows what this URL will do in between subsequent runs... it could return 2 different things when I am trying to build a cluster of this product.
3. See 1, unspoken comparison to trusted package archives excepted.
4. Yes, getting your software into an official publishing channel is preferable, but not automatic, not immediate, and not without update latency.
I'm 110% with you on hating pipe to shell, however. Your arguments don't really address the issue.
And note also that you can just clone from github if you don't like piping to shell. And nothing prevents you from packaging it yourself in your own trusted repository. If you run serious infrastructure, you already do this.
"Nobody in their sane mine should curl a script into bash to install a product"
This, so much this.
I was actually extremely excited over a similar product "flynn"... but they have also lost their mind when it comes to installation: https://flynn.io/docs/installation
They have the source on Github, you're never forced to pipe curl to bash, it's just the default. Not a great default, admittedly, but hardly deserving all the hate.
How about contributing a PR with a script that produces OS packages, instead of complaining that the free cake doesn't come with a cherry on top?
Yeah, but mostly focused on keeping bad guys out, not making sure the good guys can get in. (E.g. hving your servers in someone elses data center is probably more secure than trying to secure them physically in a startups office, but means getting to them is harder for you as well)
I could see an argument for colocating this type of enterprise in a secure data centre. There are places with 24/7 surveillance and 24/7 armed staff on site and they are going to do the security better than your average group of startup guys.
Yeah, "We noticed the hot wallets dwindling but assuming it was members moving their funds off site during the DDOS, we loaded all the cold balances onto the site"
Possiblely, but in light of the protracted duration of the DDoS, it makes sense that people would be moving their holdings off-exchange when they could connect. If the withdrawal addresses were all different -- and from what Excoin posted on their site it looks like the party responsible used multiple BTC and NBT addresses to move the funds -- multiples of small to moderate amounts of coins being requested doesn't sound out of the question.
In retrospect, it was a horrible decision not to research these transactions in depth as they happened, but the Excoin team was fighting a "bigger" fire at the time with the DDoS.
"Do they not plan on there being an official investigation?"
How do you officially investigate someone stealing your monopoly money?
Where is the FDIC insurance? Exactly what are they suppose to tell the police? The FBI? ... oh thats right, nothing, because they are not a bank, and the only thing "stolen" was some ones and zeroes off a hard-drive.
Seriously though... where is the police report on this? Or any of the other hacked bitcoin exchanges for that matter?
It doesn't matter if you're storing bitcoins or roflcoins or pictures of kittens: in most places, maliciously accessing somebody else's computer system and stealing data is a crime.
The government investigates stolen "ones and zeros" all the time. The FDIC provides protection for users, but the lack of FDIC doesn't mean that no laws apply.
Assuming such laws apply to them, and assuming they broke them, "so?". Their guilt or innocence does not have any connection with any investigation of somebody hacking into their systems.
> Where is the FDIC insurance? Exactly what are they suppose to tell the police? The FBI? ... oh thats right, nothing, because they are not a bank, and the only thing "stolen" was some ones and zeroes of a hard-drive.
This is a slippery slope. How do you think the Federal Reserve pops money into existence before they go on a QE tear? The bits ("ones and zeroes") pop into existence in their account, and they start buying assets/mortgages/whatever.
Currency only has value because of the shared belief that is has value.
You think there's never any police reports or official investigation? How do you square that with the facts surrounding the collapse of Mt Gox? A recent headline announced that the police are closing in on the fraudsters: http://www.welivesecurity.com/2015/01/02/bitcoin-fraud-mt-go...
Apparently police are quite capable of investigating the theft of "monopoly money", and understanding the issues involved.
I have no love for BTC, either, but whatever it is that was stolen -- be it a bunch of ones and zeros, some paint smeared on canvas or your rare comic books -- if it has market value (more than monopoly money, certainly) then valuable property was stolen. The higher the value, the more serious the crime. And if there was a theft of property, the FBI can certainly investigate.
I would guess his paranoia is more general than directed at npm directly. However, it's a fair point that NPM allows anyone to push projects with no oversight, whereas many other package manager inventories are maintained and curated.
