Notepad++ Compromised By State Actor - Slashdot

Notepad++ Compromised By State Actor - Slashdot
Close
binspam
dupe
notthebest
offtopic
slownewsday
stale
stupid
fresh
funny
insightful
interesting
maybe
offtopic
flamebait
troll
redundant
overrated
insightful
interesting
informative
funny
underrated
descriptive
typo
dupe
error
180721472
story
Luthair
writes:
Notepad++ claims to have been targeted by a state actor, given their previous stance on Uyghurs one can speculate about a candidate.
Notepad++,
in a blog post
According to the analysis provided by the security experts, the attack involved infrastructure-level compromise that allowed malicious actors to intercept and redirect update traffic destined for notepad-plus-plus.org. The exact technical mechanism remains under investigation, though the compromise occurred at the hosting provider level rather than through vulnerabilities in Notepad++ code itself. Traffic from certain targeted users was selectively redirected to attacker-controlled served malicious update manifests.
You may like to read:
High-Speed Internet Boom Hits Low-Tech Snag: a Labor Shortage
'USB-A Isn't Going Anywhere, So Stop Removing the Port'
New Book Argues Hybrid Schedules 'Don't Work', Return-to-Office Brings Motivation and Learning
'A Black Hole': America's New Graduates Discover a Dismal Job Market
Toxic Workplaces Are Worsening: 80% of U.S. Workers Say Their Job Hurts Mental Health
WSJ: Tech-Industry Workers Now 'Miserable', Fearing Layoffs, Working Longer Hours
Submission: Notepad++ Updates Compromised by State Actor
Vibe-coded Social Network for AI Bots Exposed Data on Thousands of Humans
This discussion has been archived.

No new comments can be posted.
Notepad++ Compromised By State Actor
More
Notepad++ Compromised By State Actor
Comments Filter:
All
Insightful
Informative
Interesting
Funny
The Fine Print:
The following comments are owned by whoever posted them. We are not responsible for them in any way.
Title
Score:
, Informative)
by
Currently_Defacating
( 10122078 )
writes:
on Monday February 02, 2026 @01:04PM (
#65964330
Notepad-plus-plus.org was compromised. Or Notepad++ website was compromised for brevity's sake.
Share
Re:
Score:
, Insightful)
by
swan5566
( 1771176 )
writes:
Came to say this. This title is sloppy at best, and misleading click-bait at worst.
Re:Title
Score:
, Interesting)
by
sabbede
( 2678435 )
writes:
on Monday February 02, 2026 @02:00PM (
#65964474
It's a little more than just a compromised website. NP++ is the #1 text editor, and malicious actors were able to redirect update requests. It's a very serious supply-chain attack. I have a tab in mine that's just passwords and API keys. Bad and very sloppy practice? Yes, but I did it anyway and shudder to think what may have happened if Chinese hackers were able to work out which keys had value for them.
I have now cleaned that up.
Parent
Share
Re: Title
Score:
by
umopapisdn69
( 6522384 )
writes:
I have a tab in mine that's just passwords and API keys. Bad and very sloppy practice?
Keepass FTW
Re: Keepass
Score:
by
umopapisdn69
( 6522384 )
writes:
Probably the only piece of software more important to me than n++
Re:
Score:
by
sabbede
( 2678435 )
writes:
Oh, I have a password manager, what I was dealing with was basically a scratchpad I never cleared out. You usually only see an API key once, so I'd paste it into a sheet in case something went wrong and it fell off the clipboard or somesuch - after that happened several times.
Re:
Score:
by
AmiMoJo
( 196126 )
writes:
I seem to have avoided this because I use WinGet to update, which pulls from the uncompromised Github repo.
I've seen this here and seen it on Ars, but neither offer any hint as to how to check for compromise or how to remove it.
Re:
Score:
by
sabbede
( 2678435 )
writes:
I don't know about any IoC's, but 8.8.9 and later should all be fine. I haven't seen anything about what the compromised versions did either, or if anything else would have been infected in the process.
It's possible that they don't know. Don Ho may not have ever seen a compromised version, depending on how they were targeted.
Re:
Score:
by
AmiMoJo
( 196126 )
writes:
Yeah. Fortunately I'm not likely to be of much interest to them.
Re:
Score:
, Insightful)
by
cyborg_monkey
( 150790 )
writes:
Oh shut the fuck up you neckbearded butt humper.
Re:
Score:
by
RitchCraft
( 6454710 )
writes:
OMG that's a horrible thing to say but I seriously ROFLOLed.
Re:
Score:
by
sabbede
( 2678435 )
writes:
Pretty ironic that you responded in kind.
Re:
Score:
by
sabbede
( 2678435 )
writes:
Well, I do. The millions of people who use NP++ do. People who recognize that OS preference means basically nothing may care as well.
I guess that people who act like OS preference is source of personal superiority don't.
Re:
Score:
by
nicubunu
( 242346 )
writes:
It probably is #1 by number of users
Re:
Score:
by
sabbede
( 2678435 )
writes:
None of which can be the most popular as they are used almost entirely in Linux. I'm not trashing them, just saying that the most popular text editor for Linux is not the most popular text editor overall. It looks like NP++ and VSCode are the tops overall, along (I was wrong, VSC is #1) with "Sublime", which I am not familiar with.
Re:
Score:
, Offtopic)
by
guygo
( 894298 )
writes:
If you liked VI's madness... you'll LOVE TECO's!
Re:
Score:
by
DamnOregonian
( 963763 )
writes:
Emacs is an OS with built-in editor.
It's not self-hosted- yet. But it is true that you could write an emacs within emacs that runs within that emacs you wrote it in.
Re:Title
Score:
, Informative)
by
bjoast
( 1310293 )
writes:
on Monday February 02, 2026 @01:42PM (
#65964424
Or Notepad++ website was compromised for brevity's sake.
No. That would be a very inadequate way of describing what was actually a targeted supply-chain attack.
Parent
Share
Re:
Score:
by
Luckyo
( 1726890 )
writes:
Reading the whole announcement, this doesn't seem entirely correct.
>According to the former hosting provider, the shared hosting server was compromised until September 2, 2025. Even after losing server access, attackers maintained credentials to internal services until December 2, 2025, which allowed them to continue redirecting Notepad++ update traffic to malicious servers.
I.e. it seems that this specifically redirected updater traffic, even after website was supposedly fine. Considering that website li
Re:
Score:
by
DamnOregonian
( 963763 )
writes:
I rather wish notepad++ author would spend more time being precise in this sort of thing that actually impacts his user base over making sweeping political statements on things and then not give any fucks about state actors he pisses off attacking his user base.
Damn straight. Software engineers aren't humans, they're not allowed to have political opinions (like wars of aggression are bad- so political), and they should just shut the fuck up and keep providing and working on their free software.
Your sense of entitlement is amusing.
Re:Title
Score:
, Informative)
by
DamnOregonian
( 963763 )
writes:
on Monday February 02, 2026 @06:08PM (
#65965160
They can have their opinions. Just don't make it an official part of the organization's stance that they're working on. Previously, they at least had the sense to carry disclaimers, like "My opinions are my own and not that of my employer"
What fucking employer are you talking about? Don Ho is a guy. Who writes Notepad++. He
is
the organization.
This isn't some guy working for Microsoft. This is some guy's pet project software. His political opinions come with this software he writes, and gives to you to use and modify,
for free.
Did you seriously not know that, or are you a fucking bot?
Parent
Share
Re:
Score:
by
DamnOregonian
( 963763 )
writes:
Notepad++ is free software, written by a guy named Don Ho, who has political opinions, and doesn't give a fuck if you are turned off from using that free software.
Perhaps you should ask him for a refund.
You're victim-blaming here, because I happen to know, since I can read, that you are very much opposed to them politically.
Really, you should probably consider this a risk of
any
auto-updating software.
Re:
Score:
by
DamnOregonian
( 963763 )
writes:
I don't give a fuck about his political opinions, because I don't look at the contents of relevant files.
Ya, you're a liar.
Don Ho was not a victim in this attack. His users were. He didn't get fucked by Chinese malware. People related to Uighur movement who installed or updated his software while update was hijacked were.
This is some truly stupid logic.
He was affected,
and
his users were affected, as a result of
him
being affected.
Don Ho was one who instigated the attack on them for internet clout. They are the ones who paid the price. He was exceedingly negligent and that likely got them exposed to a targeted Chinese intelligence operation.
Do you think the author of free software has a duty to everyone who uses their software?
I'm going to reference you to the GPL, at this point.
EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT
HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY
OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO,
THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM
IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF
ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
Seriously- go fuck yourself, you entitled piece of shit.
Re:
Score:
by
DamnOregonian
( 963763 )
writes:
The funny part about this is that this is the first time I actually went to look at his opinion to see if my expectations will be confirmed that you acted as a typical Baizuo: project your opinions as inherently good, and me as in inherent opposition to them. Then you observed that this guy is probably a leftist like you, therefore me being the demon will have all antithetical opinions.
Your beef with him isn't his anti-PRC stance, and you know it. It's his pro-Ukraine stance. You are famously pro-Russia (to the point where you're often accused of being a bot)
Your attempt at deflection was fucking lame.
Attempting to use your twisted fucking morality to enforce silence upon someone "for the safety of those who may have downloaded their software repository" isn't clever.
Re:
Score:
by
DamnOregonian
( 963763 )
writes:
Also, I am infamously anti-Ukraine
and
anti-Russia, lol. So this idea that him and I align politically is fucking absurd. But we both know your attempt to throw chaff into the air was always going to rely on you trying to link me to them, to create some kind of sense of shared guilt for the crime of speaking out.
Re:
Score:
by
Deal In One
( 6459326 )
writes:
Nobody forces you to use this product or pay for it. Actually since it's free, you can even dont use it and dont pay for it and nobody will notice.
Not the developer. Not anyone else.
Don't like who is developing it? Dont like any notes or messages in it?
Dont use it.
Do you know Winrar, 7zip and a bunch of other commonly used software are developed / started by Russians? Or Chinese for that matter.
Again, like I said, nobody forces you to use those software.
Re: Title
Score:
by
pezpunk
( 205653 )
writes:
Dipshit, Notepad++ has zero affiliation with Windows, and this vulnerability was part Notepad++â(TM)s server infrastructure.
Re:
Score:
by
ls671
( 1122017 )
writes:
About signing the updates and not putting the private key on the servers? Then, clean, not already infected clients downloading the update should simply reject it. I am puzzled I didn't see this mentioned anywhere yet.
Intolerable state of affairs
Score:
, Insightful)
by
physicsphairy
( 720718 )
writes:
on Monday February 02, 2026 @01:35PM (
#65964414
China already gets its way in forcing Hollywood and other big industries to self-sensor on its behalf, down to the individual level (e.g. sanctioning NBA teams if their members made a post in solidarity with the oppressed in Hong Kong).
But even when you have no business with China you still have to worry about what will happen to your business if you acknowledge their persistent genocide of the Uighurs?
This isn't a situation to passively accept.
Share
Re:
Score:
by
ArchieBunker
( 132337 )
writes:
China isn't forcing Hollywood to do anything. The movie execs suddenly realized a billion potential customers live there and cater to the market. It's business as usual.
Re:
Score:
by
DamnOregonian
( 963763 )
writes:
Ya, I never understood how this was hard for people to grasp.
Kowtowing to China is literally just good capitalist sense. The dripping irony of people being upset by that is just bonus.
Re:
Score:
by
theCoder
( 23772 )
writes:
It isn't about Hollywood making movies that Chinese audiences would appreciate. It's about making movies that the authoritarian Chinese government would allow to be available to Chinese audiences. There's a difference.
Re:
Score:
by
tlhIngan
( 30335 )
writes:
China already gets its way in forcing Hollywood and other big industries to self-sensor on its behalf, down to the individual level (e.g. sanctioning NBA teams if their members made a post in solidarity with the oppressed in Hong Kong).
Hollywood isn't self-censoring for China's benefit. They're self-censoring because they're
taking Chinese money
. If you look at some of the latest Hollywood blockbusters, you'll find studios that have Chinese names in them, some you may recognize like TenCent, others are more
Re:
Score:
by
sabbede
( 2678435 )
writes:
Well, that's the wise traditional rule - don't discuss politics or religion in polite company.
Which I suppose means
/. is not polite company.
Re: Intolerable state of affairs
Score:
by
mnemotronic
( 586021 )
writes:
Or with family, which in my case is passive-aggressive-polite-but-wanting-to-kill-you-if-you-dont-acknowledge-that-trump-is-the-second-coming.
Re:
Score:
by
gestalt_n_pepper
( 991155 )
writes:
Can confirm. Am not polite.
Re:
Score:
by
sabbede
( 2678435 )
writes:
Hah! Enjoyably put.
Re:
Score:
by
SkiMtb
( 10503235 )
writes:
I would be fine with this if massive corporations and the oligarchs that own them would also halt all political speech, donations, funding dark money PACs, etc. Unfortunately, that is never happen.
Re:
Score:
by
sabbede
( 2678435 )
writes:
Why would you want to deny someone their right to speak about politics? Rich or poor, it is wrong to deny someone their rights.
Re: Intolerable state of affairs
Score:
by
reanjr
( 588767 )
writes:
They don't. They just have more reach. Like someone who is charismatic vs a dullard, the reach of your speech has zero impact on your right to that speech.
Re:
Score:
by
sabbede
( 2678435 )
writes:
Apparently, our understanding of the phrase, "halt all political speech", differs somehow.
Re:
Score:
, Insightful)
by
Pseudonymous Powers
( 4097097 )
writes:
Failure to take a overt stance on political issues isn't "apolitical". It's just aligning yourself with the politics of the status quo.
Re:
Score:
by
unixisc
( 2429386 )
writes:
No, it's not. If someone says "I neither know nor care about this issue", that doesn't put that person on one side of that issue, or the other
Re:
Score:
, Funny)
by
Pseudonymous Powers
( 4097097 )
writes:
So am I to understand you're overtly coming out against the politics of the "everything must be political" attitude? Interesting.
Re:
Score:
by
DamnOregonian
( 963763 )
writes:
While Notepad++ may be justified in this case, there are a lot of cases where they'd risk alienating half their customer base - not good for business.
What business is that, pray-tell?
Re:
Score:
by
unixisc
( 2429386 )
writes:
The business of wanting more people to use their software, presumably
Re:
Score:
by
DamnOregonian
( 963763 )
writes:
I have a lot of software on github.
I've even got some code in the linux kernel.
I'm not in any business of "trying to get people to use my [
fucking free
] software."
I will not be silenced because you are upset that
my
software, that you find useful, was written by a person who will not be silent. Get the fuck over yourself.
Re:
Score:
by
DamnOregonian
( 963763 )
writes:
Genocide is a bit of a stretch, but if you look at it sideways, it's also not far from the early signs of such intent.
Complaining about the use of that word is valid. However, you went above and beyond and fed us a pile of CCP apologetic horse-shit, and you should be ashamed of yourself for that.
A German denying a modern-day early holocaust isn't a good look.
Educate yourself.
[wikipedia.org]
Re:
Score:
by
AmiMoJo
( 196126 )
writes:
Genocide can include the erasure of a culture, without murdering all the members of it. That's what is happening to the Uyghurs, or at least some of them. They want to keep their own culture, the Chinese government wants them to integrate. The forced integration involves closing down businesses that cater to Uyghur cultural stuff like restaurants, and of course religious institutions. Uyghurs are forced to accept jobs in Chinese run businesses instead, or run their own Chinese style ones.
It's not exactly sl
Re:
Score:
by
DamnOregonian
( 963763 )
writes:
Genocide can include the erasure of a culture, without murdering all the members of it. That's what is happening to the Uyghurs, or at least some of them.
Yup. But only kinda.
At least nominally, the central government has issued directives to preserve as much of their culture "as possible".
They want to keep their own culture, the Chinese government wants them to integrate.
Yup.
The forced integration involves closing down businesses that cater to Uyghur cultural stuff like restaurants, and of course religious institutions.
Yup.
Uyghurs are forced to accept jobs in Chinese run businesses instead, or run their own Chinese style ones.
Uyghurs are allowed to run their own businesses... well, at least most of them are. But they
are
faced with additional abuses at the hands of the Government that they will be free of if they do not.
I have a larger problem with the mass arrests, incarceration, forced sterilization, and the Civil Servant-Family Pair Up program.
Like I said, one can make an argument
Re:
Score:
by
DamnOregonian
( 963763 )
writes:
I literally just linked you to why.
Over 10% of the Uyghur population was interred. There was forced sterilization, forced labor, and everything short of a gas chamber.
These are facts.
Denying them makes you complicit. Like I said, a German being complicit with this kind of thing isn't a good look. But at least it historically checks out.
Dude: the Uyghurs literally have their own country inside of China. No idea how the west can get away with that "genocide fake news".
You don't understand how the Chinese system works.
The autonomous region (like all of the other Chinese autonomous regions) are still under strict CCP control, and that pe
Re:
Score:
by
DamnOregonian
( 963763 )
writes:
More reading for you too. Scroll down to "torture", if you want to see the fun stuff.
[wikipedia.org]
None of this shit is US-led. Hell, the loudest voice is a German national. If you want to know why your brain is so fucking broken when trying to evaluate this- go to the section labeled "Propaganda Campaign". It worked for you.
How do we know ?
Score:
by
greytree
( 7124971 )
writes:
How do we know the site is not still hacked, and the blog message there does not contain a link to a compromised install file ?
Re:
Score:
by
Luckyo
( 1726890 )
writes:
It links to github repository. That hasn't been hacked according to the statement.
Re:
Score:
by
greytree
( 7124971 )
writes:
"That hasn't been hacked *according to the statement.*"
See what you did there ?
Re:
Score:
by
Luckyo
( 1726890 )
writes:
I do. That's why I also advocate for better messaging in this very thread.
But it's the best knowledge we have.
windows app updates
Score:
by
AnnoyingBastard
( 8138122 )
writes:
The every-app-has-its-own-auto-update agent and infrastructure on Windows is a disaster in the making.

It's not like we had enough warnings about thid in the past.

For a long time, Microsoft was gatekeeping their update infrastructure by limiting their Store to UWP apps - now that they have come back on that decision, is there any reason not to depend on the update logic and infrastructure provided by Microsoft?

On Linux I believe the equivalent risk more or less is adding third party repositories where
Re:
Score:
by
Tony Isaac
( 1301187 )
writes:
Right, because if you have to click or type links to get to the software update page, that's a lot safer.
Re:
Score:
by
parityshrimp
( 6342140 )
writes:
Check the GPG signature before installing software.
Re:
Score:
by
Tony Isaac
( 1301187 )
writes:
And how many people actually do that? And all the signature does, is verify that the website developer created the downloader. It does *not* verify that the software is free of malware.
Re:
Score:
by
DamnOregonian
( 963763 )
writes:
No, but it very much is the answer to supply-side attacks like this.
It means a MITM attack is no longer useful, and they need to compromise Don Ho himself to get his signing key.
Re:
Score:
by
Tony Isaac
( 1301187 )
writes:
Why would they need Don Ho's key? They could just use a new key with a similar-sounding name, like Don L. Ho, and sign it with their own key. Most people would never be the wiser.
Re:
Score:
by
DamnOregonian
( 963763 )
writes:
Sorry, I was referring to the auto-update mechanism. Yes, any human key validation is susceptible to standard predictable human fallibility.
Re:
Score:
by
parityshrimp
( 6342140 )
writes:
I do that. It prevents man in the middle attacks.
Re:
Score:
by
Tony Isaac
( 1301187 )
writes:
Great, we found the one who does that! Most of us use the auto updater.
Re:calling home
Score:
, Insightful)
by
apparently
( 756613 )
writes:
on Monday February 02, 2026 @03:46PM (
#65964776
Maybe if your software did not call home you wouldn't have a problem with people hijacking those calls.
Notepad++ was "calling home" to check if an updated version was available.
It would "call home" automatically if you had auto-updater enabled, or if didn't have the auto-updater enabled, it would "call home" when you clicked the button to check for updates.
So what exactly is your issue with that behavior? If you don't think an application should "call home" to check for for new versions, where exactly do you think it SHOULD check?
Parent
Share
Re:
Score:
, Informative)
by
WaffleMonster
( 969671 )
writes:
Notepad++ was "calling home" to check if an updated version was available. It would "call home" automatically if you had auto-updater enabled, or if didn't have the auto-updater enabled, it would "call home" when you clicked the button to check for updates.
So what exactly is your issue with that behavior? If you don't think an application should "call home" to check for for new versions, where exactly do you think it SHOULD check?
Software should never call home and certainly not itself check for or install updates of itself. Users should perform these tasks as necessary OOB from application software.
People are creating massive houses of cards with these continuous automated updates that cost the vendor nothing but which continuously expose users to unwanted changes, bugs and security risk.
Re:
Score:
, Interesting)
by
jd
( 1658 )
writes:
I don't agree, but a different method might have been better.
The main problem with the method used was a total lack of security. The obvious strategy would be to:
1. Force a secure connection where Notepad++ creates a tunnel using a public/private key pair, the public key being in Notepad++. This ensures that you're connecting to who you think you're connecting to. The download machine should not be directly on the Internet, nor should it be the webserver, it should be reached via a DMZed proxy where the pro
Re:calling home
Score:
, Informative)
by
WaffleMonster
( 969671 )
writes:
on Monday February 02, 2026 @08:56PM (
#65965468
1. Force a secure connection where Notepad++ creates a tunnel using a public/private key pair, the public key being in Notepad++. This ensures that you're connecting to who you think you're connecting to. The download machine should not be directly on the Internet, nor should it be the webserver, it should be reached via a DMZed proxy where the proxy exposes just that one port and the downlod machine likewise exposes that one port to the DMZed machine.
...
The main problem with the method used was a total lack of security. The obvious strategy would be to:
This is not foolproof because keys can be compromised and the best security in the world can be broken. But this process makes breaking an entering a bit more of a challenge.
Redundancy doesn't meaningfully enhance security. If you want to create some kind of latch involving a public key installed with the software it is sufficient to check signatures before installing. Tunneling doesn't add security and the latches are just poorly reinventing the wheel. Using existing PKI for code signing allows for both revocation and timestamp countersigning.
The main problem I have with these schemes is the mere existence of the automated update mechanism. So long as it exists attackers can target it to own a lot of systems in a short amount of time. Signatures don't matter when infrastructure used to code and build software are compromised. Every update should be viewed as additional risk to be weighed against potential benefits.
Parent
Share
Re:calling home
Score:
, Informative)
by
DamnOregonian
( 963763 )
writes:
on Monday February 02, 2026 @09:16PM (
#65965506
1. Force a secure connection where Notepad++ creates a tunnel using a public/private key pair, the public key being in Notepad++. This ensures that you're connecting to who you think you're connecting to. The download machine should not be directly on the Internet, nor should it be the webserver, it should be reached via a DMZed proxy where the proxy exposes just that one port and the downlod machine likewise exposes that one port to the DMZed machine.
Eyeroll. Not even relevant. Make sure you block ICMP while you're at it.
2. You download the digitally signed installer file via the tunnel.
Tunnel not relevant.
3. You validate the digital signature on the installer file.
Yes.
4. If you're paranoid, you pull the SHA3 for the file from an independent path (https from the webserver?) and compare that as well. The webserver should also not be directly on the Internet, it too should be reached solely by a DMZed proxy. The webserver should not be able to talk to the download server and vice versa.
But make sure you block ping.
5. If, and only if, the signature and the hash both agree, do you run the installer.
Bingo.
6. You validate the digital signature on the installed binary - if there's a mismatch, you uninstall immediately.
Wut? The chances that a binary within the package that passed signature check is itself failing a signature check is literally astronomically unlikely.
If they can sign the package, they can sign the binary within it. The only thing you catch here is sheer incompetence on the part of the attacker. I mean sure, if you're that paranoid- go for it- but shit, we should probably create our own layer-6 protocol on top of the HTTPS request that has additional signing as well, because... wait, I lost my train of thought- did you block ICMP?
The issue was simple. It pulled an unsigned XML for directions where to pull the binary, and then it installed that unsigned binary.
The XML is now signed, and so is the binary.
The problem is solved.
You should not be giving security advice.
Parent
Share
Re:
Score:
by
thegarbz
( 1787294 )
writes:
Software should never call home and certainly not itself check for or install updates of itself.
What a great way of ensuring malicious bugs go unpatched for users. Seriously never ever give advice or even post about security related discussions again. YOU ARE DANGEROUS.
Re:
Score:
by
awwshit
( 6214476 )
writes:
And the call mechanism was hijacked and used against users. Great stuff. If it didn't call home... I could still check for updates myself, and download them myself, and install them myself, just like I did the first time.
Re:
Score:
by
MobyDisk
( 75490 )
writes:
I am not the OP, but perhaps each vendor should not have to architect this function, since it is such a high security risk. Instead, use infrastructure like apt, yum, chocolatey, Windows Update, Steam, etc.
Re:
Score:
by
Aristos Mazer
( 181252 )
writes:
This attack also affected manual upgrades. The poisoning was to the place where you download the upgrade from.
Re:
Score:
by
_merlin
( 160982 )
writes:
The developer of Notepad++ has always used it as a platform for anti-PRC messages, though. If you don't agree with that kind of activism, maybe you shouldn't use it?
Re:
Score:
by
greytree
( 7124971 )
writes:
I would do that *if I was a mindless idiot who chose their text editor based on the fucking text editor's political position*.
But come on, there isn't anyone that stupid on Slashdot.
Is there ?
Re:
Score:
by
DamnOregonian
( 963763 )
writes:
Your text editor is written by a person. A person has opinions.
If you don't like it, you can ask for a refund of $0 for what you paid for it, fuckstain.
Re:
Score:
by
procrastinatos
( 1004262 )
writes:
I hate the horrible dictatorship that is China, we should have boycotted them decades ago and should be preparing now to boycott them in the future.
Please don't mention religion or politics.
BUT I still don't want my fucking text editor taking a stance on China's despicable actions.
So pick a different fucking text editor. Plenty to choose from.
Do your job, don't mention religion or politics.
It's
not
his job. It's his personal project. That he's giving away. For free.
This applies to the hateful woke, the pro-pals, feminazis, the loony christian right, homophobes, racists and sexists of every kind. Everyone !
Again, please don't mention religion or politics.
How fucking hard is it ?
Seemingly impossible for you.
P.S. Note that unlike French, English doesn't require a space before question marks and exclamation marks.
Re:
Score:
by
greytree
( 7124971 )
writes:
You seem incapable of distinguishing between expressing an opinion in a Slashdot comment and expressing it in other areas.
That inability makes your own comment entirely worthless.
Re:
Score:
by
procrastinatos
( 1004262 )
writes:
You seem incapable of distinguishing between expressing an opinion in a Slashdot comment and expressing it in other areas.
Because there's no distinction to be made.
His
personal
software and his
personal
website contain his
personal
opinions.
If you take offense with that: don't use it.
If you think that his opinions might put his software in the crosshairs of certain people, parties, or nation-states: don't use it.
Liberté, égalité, fraternité. It's in the constitution. If you disagree with that, submit a proposal to your nearest legislative body to define what "other areas" people should be restricted from vo
Re:
Score:
by
greytree
( 7124971 )
writes:
> If you take offense with that: don't use it.
You think there is "no distinction to be made" between my opinion in a Slashdot comment and in published software ?!?!
So, by your logic, if you disagree with my Slashdot comment, don't reply to it.
Re:
Score:
by
procrastinatos
( 1004262 )
writes:
You think there is "no distinction to be made" between my opinion in a Slashdot comment and in published software ?!?!
You're right, there is indeed a distinction.
Slashdot is a
public
forum, so to protect themselves from possible adverse effects caused by dumb opinions, they have to provide a disclaimer at the top of the page.
It goes like this:
The Fine Print:
The following comments are owned by whoever posted them. We are not responsible for them in any way.
No such restriction for the Notepad++ guy. He can do whatever he wants because it's his
personal
software.
So, by your logic, if you disagree with my Slashdot comment, don't reply to it.
I don't know where you get the entitlement to keep telling peo
Re:
Score:
by
greytree
( 7124971 )
writes:
"Because there's no distinction to be made."
[...]
"You're right, there is indeed a distinction."
So you agree we can ignore half of your previous comments.
Now please try and comprehend the difference between personal software and published open source software.
That difference means we can ignore the rest of your comments.
Re:
Score:
by
procrastinatos
( 1004262 )
writes:
You keep arguing that there's a difference, yet in 10 or so messages you have failed to give even the slightest indication as to where that difference lies.
Instead, you're hell-bent on dismissing my comments out of hand, without any form of rationale. It's in poor taste.
Once again, when it comes to the author expressing his views in the software that he freely shares:
- There is no legal objection. He doesn't break any French laws, and the software license is clear on the liabilities he accepts (none).
- Ther
Re:
Score:
by
greytree
( 7124971 )
writes:
"You keep arguing that there's a difference, yet in 10 or so messages you have failed to give even the slightest indication as to where that difference lies."
YOU WROTE: "You're right, there is indeed a distinction."
Re:
Score:
by
procrastinatos
( 1004262 )
writes:
Please try to read and understand all the words.
I argued to the contrary that you are less free to express your opinion on a public forum like Slashdot (hence the disclaimer) than the author is to express his opinion in his own personal software and on his own personal website.
I'm going to disengage now. You have not yet provided a single argument to support your case, and I'm done holding out hope that you will do so in the next 10 messages.
Re:
Score:
by
greytree
( 7124971 )
writes:
"Because there's no distinction to be made."
[...]
"You're right, there is indeed a distinction."
[...]
"You have not yet provided a single argument to support your case"
I think that's best for you. Come back when you can understand your own statements.
Re:
Score:
by
unixisc
( 2429386 )
writes:
Actually no. Take the case of RMS - an avowed Marxist
On his personal website, he openly espouses all of his political opinions, including his hatred of ICE and borders
On the GNU sites, when he ran the FSF, all it had was his essays on "free software". He didn't list his political opinions there, even though they were well known
Back in the day, most people would have disclaimers on their signature lines, stating that the views they posted were their own and not that of their employers/organizations.
Ineffective statements don't draw attacks
Score:
by
Comboman
( 895500 )
writes:
If someone was offended enough by it to launch a cyberattack, then it very likely DID have an effect. It is very difficult to spread any kind of message in China that is not explicitly approved by the government. If the author (who charges nothing for this software) wants to use his small bit of influence to get a message out, that's his right. If you don't like it, that's your right too. You're free to use any software you wish.
Re:
Score:
by
sabbede
( 2678435 )
writes:
Of course it is his right. Having the right to do something doesn't necessarily mean you should do it though. I share his opinion - I just don't think he should have inserted it where he did.
And here's the thing - he didn't get a message out. He repeated a message that is already out and put it somewhere it really didn't belong. I lose respect for people who insert their political opinions into apolitical spaces.
And as a practical matter, what fruit does using that "influence" bear? At best, you
Re:
Score:
by
DamnOregonian
( 963763 )
writes:
NP++ is the work of its author. It's not a corporation, or owned by a corporation.
That author is under no obligation to separate his art from his opinion, and it's patently fucking absurd to think so.
Were he in the business of selling licenses to NP++, then that would perhaps be a wise decision for them to make, but you and I- as free users of his freely distributed code- have no such ground to stand on to expect any such thing.
I always thought it was improper for NP++ to take a side.
If you write software for yourself, and it can be tied back to you- then you
Re:
Score:
by
sabbede
( 2678435 )
writes:
No, of course he is not under any such obligation, but that doesn't mean he is obliged to do the opposite. All I'm doing is saying that he shouldn't do it, politics doesn't belong there; not that he mustn't do it.
I do believe that artists should separate their political opinions from their art, lest it cease to be art and become nothing more than propaganda. Regardless of whether or not I agree with that opinion. I think there is something wrong with a person who can't distinguish between the apolitica
Re:
Score:
by
greytree
( 7124971 )
writes:
> Completely agree! Yet somehow, this concept is hard for
/.ers to understand
Alas, when a comment calls out "the hateful woke, the pro-pals, feminazis, the loony christian right, homophobes, racists and sexists of every kind", then the dishonest mods in those groups are always going to downvote it.
As usual, Ignore the Score.
Re:
Score:
by
unixisc
( 2429386 )
writes:
I'd normally ignore it. Except that on this site, if one gets a lot of downmods, one's ability to post is curtailed, which is a problem w/ this site. In fact, for a tech site, it's really retarded: doesn't support Unicode, nor does it support IPv6. Which is why when I post something that's clearly anti-Left, I do it as AC. Like a lot of other people here
Re:
Score:
by
greytree
( 7124971 )
writes:
It's not only anti-left, I find pointing out that Global Warming is real can get lots of downmods.
I think a post just has to trigger enough morons, woke or Maga, who feel strongly enough about the lies they believe that they can be bothered to start up their sock puppet account.
Yes, Slashdot is retarded and, sadly, slowly on the way out.
Re:
Score:
by
Thud457
( 234763 )
writes:
Go to the
source
[notepad-plus-plus.org], read the revision history
previously
[theregister.com]
Re:
Score:
by
DamnOregonian
( 963763 )
writes:
Your employer should be very suspicious of anything that auto-updates within its organization, as it's a route for supply-side attacks such as this.
But fun fact, they probably don't if they just blocked NP++ "several months ago".
So... kudos?
Re:
Score:
by
Shades72
( 6355170 )
writes:
You do realize that the MAGA red is very much like the red in the flag of the CCP. And by extension, the same red as the ties from president Trump?
How should one understand those things? Coincidence? Aspiration?
At least China is consistent. They are not your friend. And never want to be either. China remains friendly enough if you prove to be useful for their plans. With those three things in mind, it is a workable situation. Trumps mood and plans change according to the direction of the wind, if the ascend
Re:
Score:
by
unixisc
( 2429386 )
writes:
That is a bizarre convention in the US. Usually, in most of the world, blue is used to represent Right leaning parties, and red used to represent Left leaning ones. We are the only ones where that convention is flipped. Normally, the GOP should be blue, and the Dems red, given where both stand
Re:
Score:
by
unixisc
( 2429386 )
writes:
I'm not pro-China, but other than that, I agree w/ you. When I buy/get something from someone, I don't expect to have their political opinions thrust on me, be it pro or anti. This project has had bizarre project names, such as "In a world of Elons, be a Zelenskyy". He has a right to his opinions, but if I'm getting his software, I don't expect him to shove it into my face
Related Links
Top of the:
day
week
month
243
comments
'USB-A Isn't Going Anywhere, So Stop Removing the Port'
209
comments
New Book Argues Hybrid Schedules 'Don't Work', Return-to-Office Brings Motivation and Learning
200
comments
'A Black Hole': America's New Graduates Discover a Dismal Job Market
187
comments
Toxic Workplaces Are Worsening: 80% of U.S. Workers Say Their Job Hurts Mental Health
166
comments
WSJ: Tech-Industry Workers Now 'Miserable', Fearing Layoffs, Working Longer Hours
next
Vibe-coded Social Network for AI Bots Exposed Data on Thousands of Humans
28
comments
previous
High-Speed Internet Boom Hits Low-Tech Snag: a Labor Shortage
94
comments
Slashdot Top Deals
Excessive login or logout messages are a sure sign of senility.
Close
Working...