.NET

1464 readers

1 users here now

Getting started

Useful resources

IDEs and code editors

Visual Studio (Windows/Mac)
Rider (Windows/Mac/Linux)
Visual Studio Code (Windows/Mac/Linux)

Tools

Decompilers: ILSpy, dotPeek
Scratchpad: LINQPad
Online playground and IL viewer: SharpLab

Rules

Rule 1: Follow Lemmy rules
Rule 2: Be excellent to each other, no hostility towards users for any reason
Rule 3: No spam of tools/companies/advertisements

Related communities

Wikipedia pages

.NET (open source & cross platform)
.NET Framework (proprietary & Windows-only)

founded 1 year ago

MODERATORS

[email protected]

197

Moq now ships with a closed-source obfuscated dependency that scrapes your Git email and phones it home (github.com)

submitted 1 year ago by [email protected] to c/[email protected]

25 comments fedilink hide all child comments

Also some fun takeaways: it also makes external calls to azure to load configuration and stays silent after updating for 2 weeks before showing warnings.

Moq is unusable. Needs to be forked or repoaced. Time to switch to NSubstitute.

you are viewing a single comment's thread
view the rest of the comments

[+] [email protected] 9 points 1 year ago (2 children)

[deleted]

[–] [email protected] 18 points 1 year ago (1 children)

It's in line with their delusional rationalization on their blog:

And I’m a firm believer that supporting your fellow developers is something best done personally. Having your company pay for software surely doesn’t feel quite as rewarding as paying from your own pocket, and it surely feels different for me too. We really don’t need to expense our employers for a couple bucks a month, right??

Just in case you felt that passionate about your enterprise-themed boilerplate work equipment.

I still find it hard to tell if it's malice or ineptitude, though.

[–] [email protected] 13 points 1 year ago* (last edited 1 year ago) (1 children)

There was some concern that SponsorLink might be collecting your email without your explicit consent. This is incorrect [...] The email on your local machine is hashed with SHA256 [before being sent] The resulting opaque string (which can never reveal the originating email) is the only thing used.

It's hard for me to believe someone who spent time implementing such a system would fall for such an obvious fallacy of what hashing can do. It's like hashing phone numbers, completely worthless - if the list of values it could be is limited you can simply brute force it. Take some available lists of known emails, take all known domains or mail servers and try github@domain, try some basic password cracking methods, dictionary attacks and simply append @gmail.com etc., I'd be surprised if you couldn't de"anonymize" 99.9% of mails pretty much instantly.

But right at the start of the projects readme we have "The resulting opaque string (which can never reveal the originating email) is the only thing used". "never" is something you wouln't say about salted passwords hashed with sha512, for unsalted emails it's asenine

[–] [email protected] 6 points 1 year ago

The more details I read, the better this gets.

[–] [email protected] 13 points 1 year ago (1 children)

Looks like SponsorLink is written by the same guy who wrote Moq. Feels like he's been planning this for a while.

I'm sympathetic to the cause as I know it can't be easy trying to find open source work, but I think he's gone about this all wrong