ecosyste.ms; zi; VNC Resolver

Power is restored, but your friendly neighborhood hrbrmstr truly thought he could get a full edition out in the midst of a full day of normal work, eclipse diversions, and his five-hour Carnegie Mellon quarterly lecture — all with MrsHrbrmstr taking off to console a dear friend whose mum just passed away. So, this is more of a “blathering link dump” than proper Drop.

My CMU lectures are on cybersecurity, safety, resilience, and managing data and security in leadership roles, so this is definitely a “security-centric” edition.

We’re 100% on tap for Typography Tuesday!

ecosyste.ms

I recently came across ecosyste.ms and am very surprised I had missed it until now. It “provides a set of free and open resources for those working to sustain and secure open source software. Ecosystems publishes open data and APIs that maps software interdependency and provides data about its usage, creation and potential impact. Ecosystems is infrastrcuture for a generation of researchers, policymakers, developers, and funders to build upon.”

Given the recent XZ kerfuffle, open source security is something top of mind in many places, and this resource provides data to poke at NPM (JavaScript), Crates (Rust), CRAN (R), and more through a few different lenses.

The header image is just some of the metadata it doles out, and — yes — that’s from an Observable notebook I’ll be making public in the next week or so as I try to get a handle on some of the meaningful stories it can tell. I came across it in the context of this presentation which I believe was delivered well, but is somewhat hard to follow without the talk track.

Let me know what stories you find if you poke at it yourself.

zi

This thread by Dylan Nugent
(@dylnuge@recurse.social) is a cautionary tale about a Zsh plugin manager called “zi” or “z-shell/zi”. It’s timely, given the aforementioned XZ debacle, and is worth a read — if only to help you stay sharp when testing out new things.

The “zi” project appears to be a fork of the abandoned “zinit” project, but the creators have set up an organization and branding that closely mimics the official zsh project in a misleading way. Dylan notes that the installation instructions involve downloading a script directly from the website on every shell invocation, which raises major security concerns. There is a “verified” installation method that still has a TOCTOU vulnerability.

The project’s marketing and branding, including a very similar logo to the official zsh one, seem designed to appear more legitimate than it is; and, the main developer behind the project, Salvydas Lukosius, appears to be involved in other questionable online businesses and marketing schemes using AI-generated profiles.

Dylan’s thread arrives at the conclsion that this “zi” project is likely a scam or at best, an irresponsible and untrustworthy fork of the original zinit project, and that folks should avoid using it.

I’m including it since it highlights the importance of carefully vetting open-source projects, especially ones that mimic established projects, to avoid potential security risks and deception.

I fear we’ll be encountering more of this as grifters get more greedy and the world get hotter (from a conflict perspective).

VNC Resolver

Just for fun and to help prove why we can’t have nice things, take a look at VNC Resolver, a website “dedicated to showcasing all the insecure VNCs across the world. Last scan was done on May 10, 2023 and is currently ongoing.”

Yes. Folks run VNC servers on the big, bad, open internet.

There’s a Mastodon account you can follow to see a new screenshot every hour, or you can just hit the web site when you feel so moved.

I’d stay clear of the actual compute resources, but it’s nice to know that some building control systems are fully exposed to the internet, no? The section header is a fully open (to the world) spreadsheet. O_O

FIN

Remember, you can follow and interact with the full text of The Daily Drop’s free posts on Mastodon via @dailydrop.hrbrmstr.dev@dailydrop.hrbrmstr.dev ☮️