[HN Gopher] Infosec company pwned by 4chan user
___________________________________________________________________
Infosec company pwned by 4chan user
Author : deletescape
Score : 280 points
Date : 2023-05-10 15:10 UTC (7 hours ago)
(HTM) web link (maia.crimew.gay)
(TXT) w3m dump (maia.crimew.gay)
| RamblingCTO wrote:
| > which makes it all so much more ironic how completely they have
| been hacked.
|
| Nope, not really. It just takes one mistake and you're pwned.
| Imagine giving the intern a small project, you're losing your
| head due to your main project, no time to supervise. Boom.
|
| /e: Or imagine an update in one of your libs/apps. In order to
| not to be hacked you need to make everything right. In order to
| hack you just need to find one mistake. Well, kinda, but you know
| what I mean
| Leo_Germond wrote:
| I guess they meant paradoxical. Being a security company they
| are juicy target for an attacker's rep, meaning they are in the
| situation where they are both more protected than usual but
| also more at risk. That's the arm's race paradox I guess.
| resfirestar wrote:
| It only takes one mistake, but this was a pretty easy one to
| prevent. At a mature company with a decent security program,
| creating an internet facing Jenkins instance wouldn't have been
| approved by IT, doesn't matter if it was an intern with an
| overworked manager trying to set it up. So it is pretty bad
| that a security company failed at something as basic as
| minimizing their attack surface (and possibly not sufficient
| segmentation between the dev environment and customer data, but
| the post is not very detailed on that part). Not surprising,
| though.
| alexjplant wrote:
| This page reminds me of the old web. I kind of miss it, auto-
| playing MIDI songs and custom cursors and all.
|
| I'll take that over having to wade through Reddit 12 times out of
| 10.
| Semaphor wrote:
| 0 times out of ten for me. First I blocked the annoying cat,
| then I got to the bottom, was assaulted by blinking buttons and
| decided I didn't need to know what else they were saying
| anyway.
| phoe-krk wrote:
| Have you tried Firefox Reader Mode? It renders this website
| (and a lot of others) without a lot of distractions.
| ceejayoz wrote:
| You would not have enjoyed the late 90s.
| cushpush wrote:
| Oh man, never visit Tumblr
| pc86 wrote:
| Oh my, _assaulted_? By that single blinking icon? I hope you
| 're ok.
| rejectfinite wrote:
| Yet everyone on HN complains about ads
|
| Yes I blocked it with ublock
| OkayPhysicist wrote:
| Because at the end of the day, the problem with ads isn't
| that they're annoying, or get in the way, or are garish,
| or whatever else. The problem with ads is that they are
| ads. They're an overt attempt to hijack your attention
| implant ideas in your head, ideas that are antithetical
| to your own wellbeing.
|
| A little cat chasing my cursor is just plain fun. No
| malice involved.
| supriyo-biswas wrote:
| Interestingly, had this complaint been about an ad, parent
| would have been upvoted with hundreds of comments agreeing
| with them.
|
| In other words, what OP is trying to say is that websites
| should be designed with the users goals in mind, and IMO
| it's fair to say that this website wasn't designed that
| way.
| insanitybit wrote:
| If anything this just shows that people don't hate ads
| because they're obnoxious, they hate ads because they're
| ads.
| int_19h wrote:
| Ads are generally not nostalgic references (and when they
| are, you still know that it's someone ultimately trying
| to push your emotional buttons to get you to give them
| money).
|
| https://en.wikipedia.org/wiki/Neko_(software)
| rejectfinite wrote:
| Yes. But I also do not like people younger than me.
| Springtime wrote:
| You might have liked Lulzsec's website. They had an auto-
| playing audio clip of the Love Boat TV theme and an ASCII ship
| above text lyrics that replaced the word 'love' with 'lulz'. It
| was refreshingly amusing.
|
| Sadly archive.org doesn't have a copy from its live state--
| however I saved the home page at the time (MHTML ftw) and
| here's a video capture of it*: https://streamable.com/zon5wy
|
| * Expires in one day
|
| Edit: for context Lulzsec were a hacking group a decade back
| responsible for various headline-making leaks and website
| hacks.
| nyc_data_geek1 wrote:
| Until they flipped Sabu
| Waterluvian wrote:
| Other than the colours being difficult to read, I _really_
| enjoy this webpage.
|
| Now I want to go demake mine.
| boomboomsubban wrote:
| As the creator was born in 1999, it's interesting to me because
| she's nostalgic for a period she did not fully experience. It's
| something I did, and it's neat yet strange to see it being done
| to a part of my past.
| lopekaa wrote:
| [flagged]
| throwaway6734 wrote:
| >It's something I did, and it's neat yet strange to see it
| being done to a part of my past.
|
| Agree. I read recently that digital cameras have been taking
| off among younger people in the way vinyl took off among
| millennials. I'm excited to see how people that grew up with
| excessive, toxic social media manage to find better solutions
| for dealing with the internet
| akritrime wrote:
| I am in a similar age range and I am drifting towards this
| aesthetic. I think it's the counterculture of the
| increasingly sleek websites, with their overcomplicated 3D
| animations. Not saying either is better than the other, just
| it is the opposite end of the spectrum and way of still
| having fun when creating a website while making it feel
| personal.
| serf wrote:
| it reminds me of the phenomena of parodying 'I Love Lucy!'.
| Even though it hasn't seen new episodes since 1957 it is
| included or mentioned in some way in nearly every popular
| media.
|
| The constant revitalization of the parody through new works
| ensures that the future will also include some mention. I
| think 90s aesthetic/internet-culture is a bit like that --
| the projects that include those themes beget new similar
| projects in the future as long as they have some level of
| audience exposure.
| AlexAndScripts wrote:
| I feel this. It seems like somewhere I would have thrived and
| immensely enjoyed, and I hear people's nostalgia for it, but
| it's something I never got to experience myself. (~18yo).
| amatecha wrote:
| Yeah, it was freakin' awesome. All my friends and I made
| websites. We linked to each other, shared sources of good
| GIFs and images, chatted on IRC, eventually shared mp3s
| when those were a thing. It was a seriously badass time to
| grow up. I regularly feel very thankful/lucky to have grown
| up in that time period and have my own online computer to
| experience all that stuff!
| joshmanders wrote:
| This is common among the younger people joining the internet.
| An the creator of SpaceHey.com was nostalgic for the days of
| old social media that happened when he was too young to
| experience it.
|
| Add me if you have a SpaceHey account!
| https://spacehey.com/josh
| BoxOfRain wrote:
| I have a soft spot a mile wide for SpaceHey, there's just
| something about the whole idea that's really nice. I'm not
| sure how much of it is because building a whole social
| media platform out of nostalgia is a very hacker-like thing
| to do and how much of it is just because it's nice to see a
| social media platform that's not so aggressively monetised
| and manipulative but either way I'm really happy it exists.
| andrepd wrote:
| I'm nostalgic for the Amiga despite being born in the late
| 90s!
| TazeTSchnitzel wrote:
| I'm not a lot older than her and have a similar fondness for
| that aesthetic. While it's true I didn't _fully_ experience
| it, a lot of late 90 's sites were still online, more or less
| untouched, in the late 2000's, so they were there to be
| appreciated even though they were a relic by then. At that
| time, IE stagnation was still a thing, and MIDI playback was
| still in browsers, so the 2008 experience of a 1998 site was
| probably fairly authentic.
| boomboomsubban wrote:
| Similar to how I did not experience the late 70's but
| gained a fondness for it by watching "Taxi" and listening
| to Television.
| morkalork wrote:
| They were born in 1999, so it's more like what a new
| generation's impression of what the old web was like.
| waboremo wrote:
| You don't really have to know what specific year they were
| born in, the refusal to capitalize is a dead giveaway they
| did not experience that time at all. Anybody of that time
| period would be embarrassed to do so on a public site.
|
| Kind of funny how we carry these different meanings to mostly
| meaningless things.
| bink wrote:
| Making advisories hard to read has been a thing since
| forever. Remember Gobbles?
|
| https://github.com/thinkitdata/GOBBLES/blob/master/advisori
| e...
| waboremo wrote:
| Very true, trends after all come and go.
|
| Specifically about this style though, I feel it fits
| right into the blog series about "domestic cozy"[1]. It
| aims to be exactly that, imply super casual/low effort
| tone, make it feel a bit more personal, and
| simultaneously about ignoring social traditions that feel
| redundant to them. Like all trends, it takes effort to
| follow, and part of this is encouraging friends to turn
| off auto-capitalization on your phone.
|
| So I would say it's a bit more than just trying to make
| something hard to read, and focusing on that bit might
| make you miss the rest of their storytelling process!
|
| [1] https://www.ribbonfarm.com/series/domestic-cozy/
| mlyle wrote:
| I had an all-lowercase website for a couple years on the
| early web. So did many of my friends. Archive.org snapshots
| are 2000-2001, but they'd been around before that in many
| iterations.
|
| Gah.. it's all embarrassing to look back on for other
| reasons...
| waboremo wrote:
| Don't be shy, bring it back, you're ahead of the curve!
| hezralig wrote:
| Was the author the girl that owned the TSA in the past year?
| alpaca128 wrote:
| Iirc it wasn't the TSA directly but an airline and their
| copy of the nofly list.
| orhmeh09 wrote:
| FYI, the author uses it/she pronouns.
| JasonFruit wrote:
| So it uses it/she pronouns? Usually the object pronoun is
| second; does that mean that it wants people to call she
| "it" unless they're doing something to she? That's off the
| chain, and sounds like meta-trolling.
| woooooo wrote:
| It's legendary.
| millzlane wrote:
| Live journal-esque.
| jabroni_salad wrote:
| You should check out the game Hypnospace Outlaw, which is set
| basically in a geocities-forum hybrid environment. It's
| basically a love letter to this old very personal internet.
| walthamstow wrote:
| It's been a long time since I had the sensation of going from a
| site with a brightly/strongly coloured background to another on
| white/beige and my eyes not being able to handle it. I really
| quite enjoyed it.
| generalizations wrote:
| Found this on the same blog. Wild read. Apparently they found a
| copy of the nofly list from 2019.
| https://maia.crimew.gay/posts/how-to-hack-an-airline/
| bo0tzz wrote:
| Discussed here previously:
| https://news.ycombinator.com/item?id=34446673
| yccs27 wrote:
| She has a pretty comprehensive wikipedia entry:
| https://en.wikipedia.org/wiki/Maia_arson_crimew
| sdfghswe wrote:
| [flagged]
| [deleted]
| brodouevencode wrote:
| Appears to be self-authored.
| shp0ngle wrote:
| It does seem weirdly detailed about someone I would mark as
| not really encyclopedically significant; but it has the
| citations and quotes so what do I know. It's one of the
| better Wikipedia articles in general
|
| However, it is not self-authored as can be seen in the
| history of the article.
| tenken wrote:
| ... guess that's why it's comprehensive ^_^
| jimmies wrote:
| A quick glance to the history of the article, I see it was
| edited by multiple usernames and IP address at different
| times. How did you come to the conclusion that it was self
| authored?
| whichfawkes wrote:
| To be fair, if I was writing my own Wikipedia page, I
| would do the same.
| uoaei wrote:
| I don't think it's a stretch to assume that infosec
| experts/hackers have ways to falsify their online
| identities.
| derefr wrote:
| Funny to think about: "writing your own Wikipedia page
| without it getting taken down for Original Research" is a
| fun first hobby project to certain kinds of network-
| security people, as much as as "making your Github
| activity graph solid green" is a fun first hobby project
| to bot programmers.
| grumple wrote:
| Because this is a person that doesn't meet the notoriety
| requirements for Wikipedia, and goes into a level of
| detail that is also totally unnecessary. It is trivial to
| connect to different servers via VPN and creating new
| usernames on Wikipedia takes seconds.
| tptacek wrote:
| They clearly do meet the notability requirements; the
| cites on this article are almost as long as the article
| itself. Notability on Wikipedia is a term of art; it
| refers ("mostly") to how much of the content of the
| article can be drawn from (ideally diverse) secondary
| sources. It's not an achievement award.
| KomoD wrote:
| > Because this is a person that doesn't meet the
| notoriety requirements for Wikipedia
|
| Very much does, just because you don't know them doesn't
| mean they don't.
| status200 wrote:
| Easy to check on wikipedia, looks like it was created by
| the user Ezlev [0], who does not appear to be crimew's
| wikipedia acocunt, and updated by several other users over
| the last couple years.
|
| [0] https://en.wikipedia.org/wiki/User:Ezlev
| dmbche wrote:
| "however, they made one of the most comedic mistakes you can
| still make while setting up jenkins (im actually not sure which
| misconfiguration leads to this): the build information for each
| past build contains a link to the git repository, including the
| bitbucket credentials in the url. genius."
| bheadmaster wrote:
| The most horrible thing Jenkins does to devs is it encourages
| bad practice. Good practice is so cumbersome to do properly
| (create a secret, load secret in env through Groovy code, setup
| git configuration in a shell script) that, unless someone is
| actively monitoring them, devs are always in a temptation to
| _just put the credentials in the git URL, we 'll remove them
| after testing_. Then one out of N times they forget and you get
| a security hole.
| deng wrote:
| No, the most comedic mistake is to have a public-facing Jenkins
| running. I mean in general you wouldn't make your CI accessible
| from the outside, but especially not Jenkins. That software has
| probably more CVEs every year than all of our other tooling
| combined.
| supermatt wrote:
| Given the frequency with which I seem to update nokogiri on a
| rails instance, i assumed libxml2 would hold that award:
| https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=libxml2
|
| But sure enough, jenkins FAR outweighs it:
| https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=jenkins
| deng wrote:
| And that's just the ones that get reported. Since core
| Jenkins is pretty bare-bones, most instances also have many
| plugins installed, and most of those aren't properly
| reviewed at all.
| JackSlateur wrote:
| The most comedic mistake is to have a running jenking in 2023
| comprev wrote:
| The vast majority of gigs/jobs I've had which involved
| touching Jenkins were for the purpose of migrating
| elsewhere - Gitlab, GitHub Actions, Drone, Harness...
| [deleted]
| Dwedit wrote:
| I didn't even know that .gay was a top level domain...
| thinkling wrote:
| https://enola.gay
|
| (safe for work)
| sp332 wrote:
| Registration was first attempted in 2012. It was denied and
| appealed several times and finally recognized in 2019. After
| some Covid-related delays, it was opened to the public in 2020.
| https://en.m.wikipedia.org/wiki/.gay
| odiroot wrote:
| Time to register gaymusical.gay!
| schwartzworld wrote:
| "Not as long as some musicals" - The Banner
| c7DJTLrn wrote:
| I suspect this leak was made by the author themselves and
| submitted to 4chan via Tor or a VPN. I don't have hard evidence
| to back this up but if you read the Wikipedia article about them,
| it's pretty easy to put two and two together.
| thegeomaster wrote:
| The readme of the leak contains "meow :3", and the author's
| website is strongly cat-themed. Doesn't prove anything, but an
| interesting coincidence.
| c7DJTLrn wrote:
| >hello i am maia arson crimew (it/she) and i am gay, mostly
| for girls, and i'm a tiny kitten :3
|
| Kind of seals it. I admire their brazenness.
| Lammy wrote:
| Also this very submission
| https://crimew.gay/notice/AVWTkvCXna4Pca7OCm
|
| (Unironically keep slaybossing, OP)
| flangola7 wrote:
| 4chan blocks Tor and VPNs
| jeroenhd wrote:
| You can pay for 4chan and bypass the blocks:
| https://www.4channel.org/pass
|
| Costs $20 per year and can be paid with various
| cryptocurrencies. Since 4chan keeps IP logs, this seems like
| a good deal for someone leaking company source code.
| c7DJTLrn wrote:
| You cannot block Tor and VPNs. You can block known Tor and
| VPN ranges.
| reocha wrote:
| Maia is very honest when she hacks a company, unsupported
| theories don't help anyone.
| supriyo-biswas wrote:
| Their antics have been of questionable legality, and I would
| assume they'd try to avoid drawing too much attention, given
| that this is the 3rd US-based company they're trying to hack,
| and the US just might ask for an extradition.
|
| Further, the conclusion about Jenkins being the attack vector
| is drawn without much thought or explanation, and it is also
| interesting that they've used the same attack vector
| elsewhere.
| Analemma_ wrote:
| > and I would assume they'd try to avoid drawing too much
| attention
|
| I follow her on Tumblr and I assure you this is not the
| case. She's very ebullient and loves answering questions
| about her hacking.
| [deleted]
| cool_dude85 wrote:
| It says in the wiki entry that Switzerland does not
| extradite citizens unless they consent to it. She is
| probably already not able to leave Switzerland due to her
| US indictment.
| c7DJTLrn wrote:
| Maybe because previous hacks have been of varying legality.
| The entrypoint for the airline hack was also Jenkins.
| SuperShibe wrote:
| Maia also has enough going on with lawsuits from being honest
| in the past. Not taking credit for this one might be for the
| better...
| badrabbit wrote:
| Theme aside I really like this site's design.
| bagels wrote:
| I had to check the article to understand how it is notable for a
| 4chan user to also be a business owner.
|
| They're using "owned" in leet speak sense, infiltrated security.
| Swizec wrote:
| The correct spelling in that case is pwned isn't it? I got it
| from context, but those always felt like subtly different words
| to me.
| RamblingCTO wrote:
| I've seen owned plenty of times. "Owned a box" like that
| amatecha wrote:
| yeah, "owned" came far before "pwned". Wiktionary cites
| this usenet post from 1996 https://groups.google.com/g/alt.
| sysadmin.recovery/c/IsdIZqfW... .. can't find an "earliest
| source" for "pwned" tho
| bombcar wrote:
| pwn is a typo'd version of own, but since it's unambiguous it
| would have been better here
| sobkas wrote:
| > The correct spelling in that case is pwned isn't it? I got
| it from context, but those always felt like subtly different
| words to me.
|
| For me owned was as in "CIA owned Crypto AG" not "netrunner
| owned the Chrome _"
|
| _ not that Chrome
| livinglist wrote:
| Man I was wondering the exactly same thing! I'm not a native
| speaker so that might be why
| porcoda wrote:
| Native speaker, and title confused me even being familiar
| with the whole owned/pwned thing. I clicked on the article
| simply because I was curious why being a 4chan-using sole
| proprietor would be at all interesting.
| graypegg wrote:
| Oh wow. I think that's actually worth a title edit to add a
| note.
| amatecha wrote:
| yeah should probably be edited to "pwned" just to make it
| clear, even though "owned" is the original term for, well,
| getting owned/rekt/"hacked"/etc.
|
| I too thought it would be about a company who was a sole
| proprietor of an infosec corp lol
| dang wrote:
| Ok, we've s/o/p/'d the title above. Thanks!
|
| Edit: oops, I meant s/ow/pw/.
| aigoochamna wrote:
| > "hacktivist indicted by the doj, mentally ill queer anarchist,
| 23 years old, social justice insurrectionist, it/she"
|
| Ahhh yeahhh, really brings me back to my 20s.
| becquerel wrote:
| the platonic ideal of what 'hacker' means imo
| 2OEH8eoCRo0 wrote:
| hactivism means hacking every unsecure jenkins instance for
| lulz?
| Bonus20230510 wrote:
| Might be worth doing some reading about hackers and their
| attitude towards "IP" and whether it can really be "theft".
| int_19h wrote:
| No, just the ones where the result is a leak of information
| on some large government surveillance program, or, say,
| exposing incompetence of a company that sells security-
| related products - especially ones focused on "intellectual
| property".
|
| Not that there's anything wrong with lulz as a motivation
| from the perspective of old-time hacker ethos.
| rejectfinite wrote:
| >if you enjoyed this or any of my other work feel free to support
| me on my ko-fi. this is my only real source of income so anything
| goes a long way, and monthly contributions help tremendously with
| budgeting
|
| wow she seems smart. I hope ko-fi is enough
| doodlesdev wrote:
| It's always Jenkins.
| voynich wrote:
| Apparently so, considering that this is the same person who got
| a hold of the No-Fly List a while back, and, you guessed it,
| they found it through Jenkins somehow.
| isoprophlex wrote:
| So ... same attack vector, you implying crimew might be this
| anonymous 4chinz user? Intriguing...
| intelVISA wrote:
| The fabled titan of security "Jenkins" could be breached by
| no other.
| cornhole34 wrote:
| OptimEyes.ai wins Global Infosec Award 2022 OptimEyes.ai data
| leak - 2023 smh
| testplzignore wrote:
| Aren't these industry awards essentially participation trophies
| for whoever is willing to pay? Like the notorious "Who's Who
| Among American High School Students" in the US.
| insanitybit wrote:
| Yes. I started a security company and received tons of award
| emails and conference invites that were all bullshit.
| westmeal wrote:
| crimew is 1337
| philipwhiuk wrote:
| Who makes their Jenkins instance world accessible!
| albatross13 wrote:
| Anyone setting up a honey pot. Half of 4chan posts are 3 letter
| agencies trying to bait people into violence.
| doodlesdev wrote:
| Or anyone else, such as aviation companies:
|
| https://maia.crimew.gay/posts/how-to-hack-an-airline/
|
| Previously discussed here:
|
| https://news.ycombinator.com/item?id=34446673
| henning wrote:
| Do not attribute to NSA conspiracy what can more simply be
| explained by the company being fucking stupid and not caring
| about walking the walk of infosec
| albatross13 wrote:
| [flagged]
| b800h wrote:
| Odd, what was particularly boomerish about that comment?
| dmbche wrote:
| But what's the trap here? Checking who downloads the file? I
| don't see how they can get any actionable info out of this
| albatross13 wrote:
| 1. post link to jenkins job in a 4chan thread relating to
| something nefarious
|
| 2. see who clicks it
|
| 3. now you have IP addresses of possibly nefarious people
| without needing to subpoena 4chan
|
| Something like that.
| rejectfinite wrote:
| >3. now you have IP addresses of possibly nefarious
| people without needing to subpoena 4chan
|
| ahahah 4chan is almost as mainstream as Reddit.
| ahahahahahahaaaaaaa you really think they would waste
| time like this for IP addresses to "keep track of"
| albatross13 wrote:
| Several people have been arrested based on 4chan posts
| recently, after 'threatening' a law enforcement official
| in florida.
|
| So...yes. Yes I do.
| rovolo wrote:
| The "bait" this comment is referring to is that a Sheriff
| publicly denounced _in a press conference_ a bunch of
| neo-nazi messaging spread around his town during a
| racecar event.
|
| https://www.jta.org/2023/04/27/united-states/a-florida-
| sheri...
|
| The sheriff's parents' house was swatted. These are the
| 4chan posts which were included in the various news
| articles.
|
| https://sports.yahoo.com/4chan-2-men-used-
| online-170958670.h...
|
| > "It's too bad Mike Chitwood isn't safe now that I'm
| planning to kill him. I'm going to shoot Mike Chitwood.
| I'm going to kill him by shooting him to death."
|
| > "Just shoot Chitwood in the head and he stops being a
| problem. They have to find a new guy to be the problem.
| But shooting Chitwood in the head solves an immediate
| problem permanently. Just shoot Chitwood in the head and
| murder him."
|
| https://www.clickorlando.com/news/local/2023/04/20/3rd-4c
| han...
|
| > "I WILL KILL CHITWOOD, MARK MY WORDS."
| [deleted]
| dmbche wrote:
| I think we're safe, anyone being half serious would be
| using a good vpn hopefully, it's likely to be a lot of
| false positives I would guess!
| revolvingocelot wrote:
| >anyone being half serious would be _behind seven
| proxies_
| ikiris wrote:
| How to waste your time tracking down 20000 wanna be
| script kiddies?
| malux85 wrote:
| No, but having a list of easy targets to pull from when
| your performance quotas get low could be useful (I wish I
| was joking)
| unethical_ban wrote:
| Or any and every security researcher / infosec company?
| insanitybit wrote:
| _so many companies_
| sofixa wrote:
| Who still uses Jenkins? It's an abomination of an obsolete
| system that is just a pain to use, manage, maintain, setup,
| etc. while there are much better, more featured, easier to use
| and maintain alternatives out there. _And it has been like this
| for close to ten years now_. It should have been ripped out in
| favour of either the "native" CI/CD (e.g. GitLab CI if GitLab
| is used for VCS, GitHub Actions if GitHub, etc.) or a modern
| one like Drone/Concoure/etc. years ago in any place that isn't
| ~two decades behind (so legacy airlines and banks?).
| deng wrote:
| Switched from a company using Jenkins to one using GitLab CI,
| and while GitLab CI is obviously "better" in the sense that
| it has less historical baggage, there are actually quite a
| few things I'm missing. Jenkins has a plugin for pretty much
| every obscure thing you can imagine, which is a blessing for
| the user and a curse for the administrator, as Jenkins
| quickly becomes Frankenstein's monster. But every time I have
| to wade through tons of log ouput on GitLab I miss Jenkins'
| warnings plugin, every time no runner is picking up my job I
| miss the nice runner overview of Jenkins which quickly showed
| you what runners are actually busy with, and every time that
| old slow runner is grabbing all the jobs I miss the runner
| prioritization... I could go on here, but really, there's a
| lot of things that Jenkins could do through nifty plugins
| that GitLab CI cannot do yet. I even wrote one plugin myself
| for supporting our in-house Linter, really wasn't that
| difficult and you could hook into pretty much every little
| detail (which, again, can also be a curse because every
| plugin had the power to simply crash your Jenkins...).
|
| EDIT: So to be clear, I'm not saying "Jenkins is better than
| GitLab". I would say GitLab CI is better designed, more
| robust and stable, but Jenkins is more configurable,
| extendable and has more features through it's plugin
| ecosystem. So personally, I wouldn't go back to Jenkins, but
| I also don't find it ridiculous that people still use it.
| NayamAmarshe wrote:
| I like that with Jenkins you can use groovy, which gives you
| some extra power as far as writing commands is considered.
| You don't have to do everything via shell. Equivalent shell
| commands can be a bit messy sometimes.
|
| It was a bit painful to write the same stuff in GitHub
| actions. Jira's groovy script made loops, storing variables
| very easy compared to GitHub actions' YAML.
| TechBro8615 wrote:
| People who have convinced their boss that GitHub downtime
| means they should create their own shoddy self-hosted CI
| platform.
| flatline wrote:
| Is there an F/OSS alternative to Jenkins that I'm not aware
| of?
| intelVISA wrote:
| ssh & Make
| yjftsjthsd-h wrote:
| Well sure, but ssh and make run from what?
| Izkata wrote:
| A crontab?
| doodlesdev wrote:
| - Woodpecker CI: https://woodpecker-ci.org/
|
| - Drone CI: https://www.drone.io/
|
| - Buildbot: https://buildbot.net/
|
| - Gitea Actions: https://docs.gitea.io/en-
| us/usage/actions/overview/
|
| - Fogejo Actions: https://forgejo.org/2023-02-27-forgejo-
| actions/
|
| - GitLab Runners: https://gitlab.com/gitlab-org/gitlab-
| runner
|
| You could also use Ansible playbooks/roles to run your
| build, although that's going to be a bit more manual:
| https://www.ansible.com/
|
| Not necessarily endorsing any of the alternatives, just
| pointing them out.
| robrtsql wrote:
| How did Apache Maven make it onto this list? Seems like
| Maven is a build tool that one would invoke _from_
| Jenkins or Drone.
| doodlesdev wrote:
| That is correct, I removed it from the comment. It's more
| of an alternative to Apache Ant/make/whatever really.
| sdfghswe wrote:
| What is a better alternative, if you want to self-host?
| doodlesdev wrote:
| You can self-host:
|
| - Woodpecker CI: https://woodpecker-ci.org/
|
| - Buildbot: https://buildbot.net/
|
| - GitLab Runners: https://docs.gitlab.com/runner/
|
| - Gitea Actions: https://docs.gitea.io/en-
| us/usage/actions/overview/
|
| - Forgejo Actions: https://forgejo.org/2023-02-27-forgejo-
| actions/
|
| - Drone CI: https://www.drone.io/
|
| - CircleCI (not free nor open-source, but self-hosted):
| https://circleci.com/pricing/server/
|
| - GitHub Runners (same deal as CircleCI):
| https://docs.github.com/en/actions/hosting-your-own-
| runners/...
| brodouevencode wrote:
| That's what you took away from the question?
|
| Jenkins still lives in legacy, and probably will for some
| time.
| indigodaddy wrote:
| "Who still uses Jenkins?"
|
| I think you may have perhaps misjudged just how entrenched
| Jenkins is in corp/enterprise.
| x86_64Ubuntu wrote:
| The older I get, the more systems I learn are only around
| because they've been around.
| marginalia_nu wrote:
| A lot of the time when old things are still around, it's
| not because through all the years nobody has had the idea
| to replace them, but because the benefit of replacing
| them hasn't at any point in history outweighed the
| hassle.
|
| This is true for X11 and this is true for the QWERTY
| layout. The benefit of switching must outweigh the
| enormous hassle of doing so. It's easy to find something
| that's a little bit better, but that's simply not good
| enough to merit a switch.
|
| Often they're around because when it comes around, they
| do a such a decent job and it's difficult to actually
| produce something that _has_ that sort of advantage.
| Miraste wrote:
| X11 is finally, finally on the way out. I have a lot of
| gripes with Wayland, but the day I stop needing to dive
| into xrandr and figure out why the screen is rotated but
| the mouse coordinates aren't or some other 1990s level
| problem will be a happy one.
|
| QWERTY seems to be too embedded even for that, but I
| wonder if it gets closer to replacement the higher the
| percentage of software keyboards climbs vs physical ones.
| rejectfinite wrote:
| Yes? do you know the cost of moving big systems?
| JackSlateur wrote:
| Do you know the cost of maintening big old systems ?
|
| There are hundreds of people here for that I'm not in HR,
| but I guess that's a lot of money spent each year, just
| to get the same issues we had last year
|
| It takes a lot of money to not improve the situation
| MilStdJunkie wrote:
| Big companies with data restrictions that can't have anything
| so much as _look_ at the cloud, and they don 't have the
| skills or money to set up something nicer on prem.
|
| Bitbucket is also a big part of this story.
|
| That results in seeing Jenkins all over the ding-darn place
| at Boeing, LockMart, RC, L3, NGA, etc.
|
| Of course, all that is thrown right out the window if you
| wire up the Jenkins instance to _the goddamn internet_.
| nebula8804 wrote:
| Oh they have come up with some new trash I have to learn?
| Great...
|
| Say you were developing inn Angular and Python. Which one of
| these "alternatives" should I look in to? ie. Which is most
| requested by typical requiters?
| SV_BubbleTime wrote:
| People doing embedded testing use Jenkins still. Not that I
| would, but some people do.
| ChuckNorris89 wrote:
| Embedded people are pretty pragmatic and tend not to chase
| fads for the sake of change or resume engineering. If it
| works, it's good enough for them.
|
| Switching away from Jenkins would cost effort and offer no
| competitive advantage to your end product, so then why do
| it?
| frant-hartm wrote:
| Why change something that mostly works fine? I don't like to
| change set of known issues for a set of unknowns.
|
| Also those who want to avoid vendor lock in. Git repo might
| be moved around, do you like changing CI/CD scripts every
| time you change your git hosting service?
|
| GHA work really well for simple stuff. For more complex in a
| larger organization there is no clear winner.
| code_runner wrote:
| jenkins is old and crusty, but it works and works well. if
| the UI for a build tool looks too fancy, my faith in it drops
| to 0 almost immediately.
| [deleted]
| sidlls wrote:
| It doesn't work well. It's the JIRA of CI/CD: it is
| entrenched and does multiple things but doesn't do any one
| thing well, and the people that decide what to buy aren't
| the people who are forced to use it so they don't care
| about its quality so much
| frant-hartm wrote:
| Jira sucks, but I have yet to see a tracking tool which
| sucks less.
| mannyv wrote:
| Jenkins is one of those things you configure and forget
| about...until you need to do it again.
|
| Over time, there's so much stuff that it does that replacing
| it is a ton of work. And by work I mean verification and
| communication. Many developers have no idea how stuff gets
| built, or how dependencies are managed in the build system.
| You forget one thing and the build is toast. Hunting this
| info down takes a ridiculous amount of time.
|
| Now expand that to X number of projects, and you're looking
| at a year of work...and a delay while QA checks everything
| again.
|
| For what?
|
| Good luck getting that prioritized.
| treeman79 wrote:
| Back in 90s. I commented to a friend that there sure were a lot
| of NASA employees on A certain IRC channel. His response was NASA
| had great computers and no security.
| qingcharles wrote:
| In the 90s I would be hard-pressed to name any of my techie
| chums who didn't have a shell account on a NASA box, through
| legal or illegal means. NASA also had some great cables and
| satellite runs between their facilities and other partners
| overseas that allowed for moving warez and porn very quickly
| across the Atlantic when the commercial connection between the
| UK and USA was something like 2Mbps for the entire country.
| sybercecurity wrote:
| Heck, I've heard stories that several big agencies only started
| deploying firewalls at their network perimeter in the late
| 90's. I guess one of the saving graces was that a lot of stuff
| like personnel records were hard to reach or still only on
| paper.
| stonogo wrote:
| Perimeter security with firewalls didn't really come into
| vogue until the mid 1990s (post-Cheswick and Bellovin), so
| that seems like a pretty speedy adoption for a big agency.
| icedchai wrote:
| Around here, it was the local college and universities. My
| friend, in high school at the time, pwned CS departments at
| both an Ivy and state college, gave out dozens of cracked SunOS
| accounts to BBSers and script kiddies (the password file was
| unshadowed...) Tying up all the dialups with IRC and the non-
| stop downloading of warez eventually brought the attention of
| sysadmins, but it went on for _months._
| Lammy wrote:
| Simpsons did it:
| https://en.wikipedia.org/wiki/HBGary#WikiLeaks,_Bank_of_Amer...
| richbell wrote:
| Dramatic recounting of this:
|
| https://youtu.be/uFw66YyHD6E
| rurban wrote:
| Tillie Kottmann, oh my. Should have guessed it
| kruuuder wrote:
| https://en.wikipedia.org/wiki/Deadnaming
| neurobama wrote:
| Suicide-baiting, and that's what the emotional blackmail
| around "deadnaming" is, should neither be normalized nor
| accepted. Forcing others to obey your linguistic preferences
| and participate in your fantasies is not OK in an open
| society.
|
| It's remarkable how quickly top-down normalization of this
| concept took place on social media. Historians will have an
| fun time picking apart the influence involved.
| hiidrew wrote:
| this is the same person that found the no fly list from an
| airline lol https://maia.crimew.gay/posts/how-to-hack-an-airline/
___________________________________________________________________
(page generated 2023-05-10 23:00 UTC)