Comment by mettamage
5 years ago
> That code is used to root and exploit people.
That comment made me think and I realized the following.
Open-source code like curl is inevitable when a society gains internet [1]. It's not Daniel's fault. If anything is to blame, blame the internet and human nature on a grand scale [2].
[1] If he wouldn't have made it, someone else would. If no one else would, then people would've done it privately. Some of that code would've been leaked and popularized as an open source project (it's basic probability: many people would need to do it privately, since they have to if they want their CLI to interact with the web).
[2] There was an interview I read/heard somewhere where some Twitter employee said: if there is a 1 in a 500 million chance that something could happen based on a small piece of text, it means that at Twitter, it happens every day.
Assuming the person writing is not just having a nervous breakdown or trolling (~50%), I think the metaphor they're using is very useful here:
> You built a formula 1 race car and tossed the keys to kids with ego problems.
He may have been ran over by a formula 1 race car, but for some reason he ended up writing to and blaming the guy that's building the seats. Or the tires.
Curl is an ubiquitous tool used for pretty much anything. Assuming the grievance is real, blaming it for anything is clearly a misunderstanding of the situation.
Uh... I mean, you don't really think that person has an accurate understanding of what actually happened? Because I'm having a hard time trying to imagine that. It's not that there aren't any vulnerabilities in curl that can be exploited that way, but I struggle to think of situation where curl would have been an actual culrprit. Also, it sounds like he thinks curl is something purposefully malicious.
On the matter of "inevitability of progress": yep, I even think it applies to much bigger extent. I just don't see how is this connected to the troubles of the-victim-of-curl guy.
Oh, the statement just made me pause and think that's all.
> but I struggle to think of situation where curl would have been an actual culrprit.
I agree, I think it's much more likely that there was a 2 stage type of exploit where curl was used to download the second stage locally on the machine. That's at least how curl (or wget) is used on hackthebox.eu (where everyone hacks boxes for fun).
> Open-source code like curl is inevitable when a society gains internet
Maybe, but there's maybe an alternate universe that doesn't begin with such a dumbass implementation of the web.
"Excuse me everybody, how about we not make it common for clients to describe themselves with a simple plaintext string and not have servers expect to blithely log that same string as if the invention of packet switching predates the invention of lying."
Perhaps ours is the only universe where the grad student who was supposed to utter that missed the bus that day.
Curl is a tool; and just like a knife can be used to rob a person it can be abused for malicious purposes. That's unavoidable no matter what kind of license it has.
off point
> if there is a 1 in a 500 million chance that something could happen based on a small piece of text, it means that at Twitter, it happens every day.
really interesting, do you remember what interview/who the employee was or anything?
I wouldn't be surprised if this interview was 3 to 5, or even more years ago. Sadly, I really don't remember, but this little tidbit stood out to me at the time. I wouldn't be surprised if the "employee" is a really high ranking one, or one of the founders even.