TR Forums

SEC Consult has disclosed a method to bypass application whitelisting by abusing Nvidia's node.js.

According to other reports simply rolling back to a 2.x version after uninstalling 3.x isn't enough, as the offending files will be constantly downloaded as updates to GFE. Updating your hosts file with an entry for "services.gfe.nvidia.com" is offered as a solution for this.

While I'm chuckling at Nv's decision to ship a whole Node.js with Experience, I have to say that the practical impact of this is likely going to be fairly minimal. Doesn't look like it's remotely exploitable, so you still need someone to trick the user into running a script locally. And if you've already managed to do that, you don't really need to go through Experience to wreak some havoc.

I feel like almost nobody writes real code any more. Most applications are developed by duct taping a bunch of canned libraries together, with only a superficial understanding of what's really going on. While this typically results in quicker development turnaround, it also results in a horribly bloated product which has such a large potential attack surface (due to all the superfluous, poorly understood 3rd party code shipping with the application) that you can never have reasonable certainty that it is secure.

just brew it! wrote:

I feel like almost nobody writes real code any more.

Apollo Guidance Computer. Got Apollo to the moon and back.

16-bit words
2,048 words RAM (4K)
36,864 words ROM (72K)

Assembly language, and RAM/ROM in core rope memory.

just brew it! wrote:

I feel like almost nobody writes real code any more. Most applications are developed by duct taping a bunch of canned libraries together, with only a superficial understanding of what's really going on. While this typically results in quicker development turnaround, it also results in a horribly bloated product which has such a large potential attack surface (due to all the superfluous, poorly understood 3rd party code shipping with the application) that you can never have reasonable certainty that it is secure.

You're not wrong. Didn't you work in the Avionics world for a bit, too? I'm sure, especially coming from that background, that it looks even worse.

I think the bigger problem is a combination between 1) not being given enough time to deeply understand all the libraries you need to use and 2) The documentation not necessarily existing. #1 usually applies far more often than #2, though, for the big ones that are F/L/OSS.

Captain Ned wrote:

just brew it! wrote:

I feel like almost nobody writes real code any more.

Apollo Guidance Computer. Got Apollo to the moon and back.

16-bit words
2,048 words RAM (4K)
36,864 words ROM (72K)

Assembly language, and RAM/ROM in core rope memory.

That likely explains its abysmal performance at real time Twitter updates and streaming missions via Twitch.

Nvidia Geforce Experience SUCKS. It tried to force me to create an account on Nvidia.com, so after I seriously thought about switching back to AMD GPUs, I decided to uninstall it and go get the drivers directly. Now I do that every couple months.

Seriously, a logon account for my GPU? I've got a bird to flip you, Nvidia.

I'm so glad I turned off installing that crap when they did the requiring an account thing.

Captain Ned wrote:

just brew it! wrote:

I feel like almost nobody writes real code any more.

Apollo Guidance Computer. Got Apollo to the moon and back.

16-bit words
2,048 words RAM (4K)
36,864 words ROM (72K)

Assembly language, and RAM/ROM in core rope memory.

Smaller than an Arduino Mega. Fully agree with the last art of writing code.

--SS

BIF wrote:

Nvidia Geforce Experience SUCKS. It tried to force me to create an account on Nvidia.com, so after I seriously thought about switching back to AMD GPUs, I decided to uninstall it and go get the drivers directly. Now I do that every couple months.

Seriously, a logon account for my GPU? I've got a bird to flip you, Nvidia.

Devil's advocate: people create accounts for far less-important stuff than driver updates and automatic game configuration.

(I dislike GFE's mandatory login too, fwiw)

I.S.T. wrote:

I'm so glad I turned off installing that crap when they did the requiring an account thing.

Ditto.

It's only a matter of time before software gets owned. Nobody writes real code any more.

I'm another who doesn't install GFE. I don't ever want drivers updating themselves without user input.

The Egg wrote:

I'm another who doesn't install GFE. I don't ever want drivers updating themselves without user input.

If that's the only reason, then you should know it doesn't. My experience with GFE 3 is that it alerts you to a new driver and clicking the alert takes you to a page where you can tell it to install or not.

Aye, it'll just let you know that there's a driver update available. It's not particularly annoying either.

I mean, I understand, if only a little bit, why people wouldn't want to install an extra piece of software just to get the driver updates earlier than others, but it's really not a big deal in this case IMO. Geforce experience is never, never in my way. It doesn't hog resources. I rarely even have it "on." It just sits there until I tell it to launch, I update my drivers, and it goes away.

But hey, I guess go ahead and boycott it, because principles!

DancinJack wrote:

But hey, I guess go ahead and boycott it, because principles!

And security flaws. And useless information gathering (for you) that benefits the company you're signing in to.

You know, besides that. Just principles.

Yeah, because Windows or Linux, or ANY other software you use have no security flaws? Surely not everything you use is absolutely necessary. Come on Waco. I have zero issue with Nvidia knowing which games I have installed. I want them to benefit. They make great products.

Everybody wants something for nothing, and I can understand wanting that, but getting it is rarely how it happens. The things you mentioned are principles, by the way. Not sure why you separated the two.

As I said above, I get it. Some people don't want to do it. That's fine.

DancinJack wrote:

But hey, I guess go ahead and boycott it, because principles!

Oh no, I never said I had principles. And I never said I was boycotting it. I just dislike it, maybe because I already get told what to do often enough already. Or maybe it's just 'cause I'm grouchy.

BIF wrote:

DancinJack wrote:

But hey, I guess go ahead and boycott it, because principles!

Oh no, I never said I had principles. And I never said I was boycotting it. I just dislike it, maybe because I already get told what to do often enough already. Or maybe it's just 'cause I'm grouchy.

I wasn't necessarily directing it at you in particular, FWIW. I was just being facetious.