https://nitter.poast.org/da_wamwoowam/status/182487490957266...
How about some fucking empathy? Yes, maybe the dev isn't a windows expert, but I'd guess most devs aren't. Most people don't have the luxury of pulling in a specialist to do every little feature, nor the luxury to do a deep dive to figure the absolute correct way. Such is the reality of (commercial) software development. I don't think we need to have snarky attacks on the front page of HN for that.
But I would look up the right way to find the system installation if I were writing production code, or even personal-use code, that needed to know where it was. I also wouldn't walk the filesystem looking for a program I was relying on (and assuming filenames and installation locations, but evidently not with a definitive standard location in mind). If I had to do that, I would know there was something horribly wrong with my own design. Although I should probably already be clued into that if my chat program is having to fool with GPU arcana like that.
Either some programmer has put thousands of other people's reliability and resources at risk by intentionally taking on something they're unqualified for and don't have the time to do right... or some manager has pushed somebody into that position.
If you mean that the reality of commercial software is that it's written by half-qualified people under unreasonable time pressure, why should we have "empathy" for the people who make it that way?
If I search Google for "nvidia-smi.exe", one of the top results is a Stack Overflow answer with 70 upvotes, describing exactly the approach taken by the linked code.
> This is amazing. Started as a small project just for myself, it now has > 15,000 lines of code, > 600 versions published, up to 8 mio downloads per month, > 300 mio downloads overall. #1 NPM ranking for backend packages. Thank you to all who contributed to this project!
It's fair to blast Discord here, but not the library's authors. When you want "production code", maybe do better* than npm-installing a project with lifetime donations of, let's see, $624.
* Like donate, audit and upstream improvements, or build it yourself from scratch.
> Discord Applying Forced Arbitration - opt-out before it is too late!
> https://news.ycombinator.com/item?id=40252525
We're talking about a corporation handling our private communications, not a group of unpaid volunteers. Corporations act out of greed. That's the way capitalism works and we shouldn't pretend otherwise. Two decades ago, there were lots of empathy for the company that promised to "not be evil" and just look at how well that went. Accountability is what we should be pushing for, not empathy for those who abuse us.
The code in question supposedly gathers system information to send back to Discord. It's sensitive information gathered for Discord's own sake. Maybe, just maybe, they should be more aware of what their own code is doing at the very least when doing such things.
Anyone attempting, or purporting to do this job should know this, and if they don't know this, then that very fact is the unforgivable thing.
I say this as someone who has barely programmed anything for windows. I managed to make a custom version of putty for work that replaced the registry for a text file for settings, and made it lauchable to make saved sessions portable. And I managed the amazing engineering feat of producing a .exe that wraps a twain scanner library. No ui, just a cli that copies argv to the library calls. And I wrote a powershell script that talks to a device over rs232.
Thats about it. More than my mom could do but all in all essentially nothing.
The criticism of this utter shit is not elitism.
When I first had that work project to hack on putty, at first I took a look just to see if I could figure it out. I immediatly decided I could not figure it out in any reasonable time.
So I tried to hire a freelancer to do it. Pay someone who actually does this, right?
You know what they did? For $3k usd in 2005 or so? They fucking called regedit. As in they executed the regedit exe in a system call to import a text reg file. The settings are still stored in the registry, and I already knew how to run regedit to export and import .reg files. I could have done that much by just wrapping my exe in a bat file that runs regedit before launching putty, and that would have been a better engineered result than putting it in a system call, because it would be more flexible since the bat could be modified infinitely later without recompiling.
They were working on c code that already had code examples in it for working with the registry directly, and for reading and writing files, and yet when they needed to read a file to load settings, they ran an external executable that reads a file and puts the contents into the registry.
And putty actually has a fairly modular settings module! The registry stuff isn't baked in all over the place. There is a single c file that does all of the settings storage and retrieval. You can essentially swap the whole file out with anything else.
Am I some supergenius just because I knew enough to not try to do a job I didn't know how to do?
Am I a supergenius just because I was able to at least read code even if I couldn't write it, enough to see what it was doing and that it was a shit way to get the outward appearance of what I asked for?
How come you aren't completely offended and scandalized by solutions like these? What code that I rely on are you writing right now?
We do indeed all have dirty underwear but this is not a case of "not an expert". That is inexcusably misrepresenting the essence of the criticism here.
> THIS is why your software is slow. it's not "web tech" or "electron" or "JIT compilation" or any fucking sorting algorithm
> it's boneheaded _design decisions_ made to avoid doing things properly in packages with 1,600,000 weekly downloads.
> :DDDDDDDDDD this is why everyone hates nodejs developers
Yes, you can criticise a piece of software for doing something X way, but you don't have to shit on the people who made it in the process. Imagine being the person who implemented this waking up and seeing that.
Which isn't important for general use but is relevant if you're screen sharing/streaming your display
https://www.npmjs.com/package/systeminformation
https://github.com/sebhildebrandt/systeminformation/blob/mas...
https://github.com/sebhildebrandt/systeminformation/blob/mas...
Discord attempts to find nvidia-smi libraries by launching series of powershell scripts. Those scripts are really terrible with a lot of if-else logic based on hardcoded strings and environment variables. They are also apparently fairly slow and scan over 800 directories.
Honestly, this is just yet another example of Discord not really developing their software well security-wise.
Another example bad security example: 2FA implementation is not really that secure since you can continuously ask for backup codes to be sent to your email which you presumably open frequently on the same PC (there is already automated malware that will abuse this and circumvent your 2FA via newly generated backup codes).
Yet another terrible implementation: QR codes. There are rampant phishing attempts that work fairly well because they trick people into accepting invite to some discord server. Once you are in it then you are presented with a "anti-spam/anti-bot" verification check which asks you to scan and confirm a QR code. Little do majority of people know is that it is a login QR code and once you scan that then the hackers will just take over your account in less than a second as all this stuff is easily automated already.
Regarding the QR code vulnerability, how do you know if you are scanning a harmful QR code?
On the login page of the web version of Discord, you have the option to log in in two ways: either by using a username/password combination, or by scanning a QR code with the Discord app on your mobile.
The QR code is linked to your desktop session, and scanning the QR code with a mobile device will cause Discord to authenticate the desktop session with the credentials stored on the mobile.
Thus, if the attackers take one of the QR codes from their own desktop session and give it to you, scanning it will authenticate their desktop session with your credentials.
The QR codes have a rotating code that's meant to prevent old QR codes from being used, but that only means that the attackers just need to re-request the QR code every so often and show the new one.
Honesty I wished every HN post linking to Twitter was just changed to a threadreader link because otherwise only registered Twitter users can see the content being posted.
Twitter is just really bad for persistent information. In a perfect world we'd have articles filtering the massive noise-to-data ratio and serving as a persistent archive of whatever happened in there.
(The powershell bit seems to be used for something else however, so that’s just ancillary stupidity)
Only the more experienced Windows app developers would get it right. How many of those are there in the world? How many are working at Discord?
Most likely some dev who was not a super Windows expert was assigned this task, and figured out how to do it using the tools that they already had the most familiarity with. In this case that was Powershell.
This is what most of us do every single time we code. We prioritize getting a solution that achieves the desired result, which this does. We prioritize getting it done quickly, which means using familiar tools instead of spending a bunch of time learning something new. We prioritize passing tests, which this probably does. Performance is not a priority at most places until it becomes so bad that it’s extremely noticeable. Discord on Windows is most often used on powerful gaming PCs that won’t notice this inefficiency.
That said, now that someone so kindly pointed out the issue, maybe Discord will fix it. Or maybe not. If it’s not a bugfix, or a new feature, or a security patch, why would they prioritize it?
And that's the correct approach. Whenever I pick a task, I make sure I either know the matter in question or need to study it - in which case I inform my co-workers and especially the Tech Lead this needs to be taken into account.
Frankly, even if it was an internal piece of software used just by a few hundred/thousand people, I would be ashamed of doing it this way because I would be afraid it could have negative impact on my career in this organization.
From: https://x.com/da_wamwoowam/status/1824874909572665735
`readdirSync`, `statSync` are from https://nodejs.org/api/fs.html
