Anyone here use NodeJS?

Discussion in 'Web Design and Development' started by Sill, Oct 25, 2015.

  1. Sill macrumors 6502

    Joined:
    Nov 14, 2014
    #1
    I was looking into installing software that requires NodeJS. When I went to the download page, I discovered that NodeJS is based on a Google project. My entire computing existence is built on rejecting anything Google has done, for security/privacy reasons.

    Is there any way a user can be sure this code doesn't offer a back door for Google or any other company/agency/person?

    Also,

    If the software requires NodeJS does that mean it requires that specific code or can another javascript engine be substituted?
     
  2. ArtOfWarfare macrumors 604

    ArtOfWarfare

    Joined:
    Nov 26, 2007
    #2
    It relies on Google's V8 engine, which is an open source project. Although I'm with you in rejecting Google as a rule of thumb (I.E., I own my own domain and server primarily so I don't have to rely on gmail/YouTube/Google pages for my online presence), I think you're being a bit silly to not use NodeJS just because it relies on Google's V8 engine.
     
  3. Sill thread starter macrumors 6502

    Joined:
    Nov 14, 2014
    #3
    Yes I'm sure I'm just being a bit silly and there is no way Google or anyone else is interested in anyone's computer or what is on it. They simply give away core software for free with no hope of ever getting any kind of return from it. If only the common man was as generous as they are as a corporation.

    My point is, given Google's well publicized and admitted desire to have access to everything in everyones' lives, how can I be certain that there isn't some sort of port that could be left open for them, maybe a little call out to them to come check out this neat computer they haven't crawled yet? Did anyone in the open source community look through the entire thing and make sure there is nothing like that, or did they all just assume someone else did and went on their merry ignorant way?

    For the record, I don't care if this code was going on a fresh install of OS X on a new machine with no user data on it. I don't want them to have access.
     
  4. 960design macrumors 68000

    Joined:
    Apr 17, 2012
    Location:
    Destin, FL
    #4
    Yep, line by line you can check it out yourself.

    NodeJS is a server. If the software requires it then your pretty much stuck unless your write your own API that duplicates NodeJS and write your own server engine.

    I've been using it for a while for testing, but haven't deployed it as part of a package yet.

    NodeJS is pretty awesome in what it does. Push / pulling data with very low overhead, pretty much miffing any wana-be DOS script kiddies.
     
  5. Sill thread starter macrumors 6502

    Joined:
    Nov 14, 2014
    #5
    I wouldn't even know what to look for, unfortunately.
     
  6. medee88 macrumors newbie

    Joined:
    Oct 26, 2015
    Location:
    Austin, TX
    #6
    I've been using Node.js for over a year now, coming from a c++ to PHP based background. First of all, it is really awesome at what it does. It's one of the greatest extensions for Javascript that turns it into a wonderful language for templating, etc. I've made several API servers in it that are easy to make and run quickly. The open source community support for it in terms of plugins is pretty amazing

    Your questing centers on Google security. Google developed and uses the V8 engine simply because the performance of it is great for large Javascript applications (which that is all that Node.js application are). https://developers.google.com/v8/design

    They make no clear mention of any tracking code, simply because it is a c++ based engine, not a google service per say. Much of the Google debate centers around their services (like maps, etc) and the information transmitted from them.

    Honestly, for Backdoors, google doesn't even supply any of the popular authentication plugins for it. Nodejs isn't run by google, it simply uses their V8 engine simply cause of it's ability to run javascript. You can run even node in a completely web isolated environment if you'd like (which is kind of odd, but doable).

    Take a look at http://passportjs.org for an example of a very popular authentication framework. The security of your node platform is left to you. Google developed the engine for the fast execution of the information, the Node.js Foundation developed node, the security is left up to you.

    Hope this helps.. Node really is worth a shot. If you're really just curious with experimenting, you can always put it in a vagrant machine isolated from your OS at test it to see if it fits your needs (https://www.vagrantup.com)
     
  7. Sill thread starter macrumors 6502

    Joined:
    Nov 14, 2014
    #7
    I appreciate your reply. I'd like to say it helped, but unfortunately it really didn't answer my question. I'm sure Chrome V8 is very versatile and robust code, etc, but since Google's number one priority is to have access to everyones' information I'm very suspicious of anything they give away. Everything has its price, even if its allegedly free. Thats why I don't have their Chrome browser on my computer, thats why I don't have any Google/Youtube/etc accounts, thats why I don't use their software or own any device with their Android OS.

    Google has already been caught lying outright about many things related to privacy and their supposedly free software. The first thing that comes to my mind was the Google for Kids debacle just a few short years ago. They gave away all sorts of educational software which of course had to run "in the cloud". The kids all had to get a Google account to use it. Google captured everything about these kids and kept it. They denied doing it. Then when they were caught they denied keeping it. When it was discovered that they kept it, they said it was anonymized. But it wasn't. And on and on and on.

    I was just hoping that someone in the open source community had taken the time to do the forensics on something like this before they jumped in with both feet. Regrettably, I think those days are behind us.
     
  8. -narcan- macrumors newbie

    Joined:
    Sep 29, 2011
    #8
    Do people really live their life like this ?
     
  9. Ap0ks macrumors 6502

    Joined:
    Aug 12, 2008
    Location:
    Cambridge, UK
    #9
    As much as I don't like their ethics, not everything at Google is evil, they do contribute quite a lot of open-source projects & code to the community.

    The V8 engine was created to speed up Javascript in Chrome and as an engine really isn't concerned with gathering data, if it was doing what you suspect it might I'm sure the open-source community would have noticed and reacted by now.

    Oracle are working on Project Avatar which is similar if you really don't want to use Node.js on the V8 engine.
     
  10. D.T. macrumors 603

    D.T.

    Joined:
    Sep 15, 2011
    Location:
    Vilano Beach, FL
    #10
    I've been using it about the same duration, totally dig on it - I had a pretty extensive JS background so it was a pretty simple to pick up. I'm coming from (er, actually still pretty engaged with) C#, Rails, Python, some Java. We started a new project and decided to go with Node, happy I did - like you said, with the rich community, it was easy to get a web-API up and running, roll in some authentication, etc. (using Angular on the front end, Mongo for storage/state, a few other services like S3).

    :cool:
     
  11. Sill thread starter macrumors 6502

    Joined:
    Nov 14, 2014
    #11
    I"m not concerned about data-gathering, per se, but rather something just leaving the computer open on a rare port that people just don't look at, or perhaps injecting a daemon into the system. My worry is that the the open-source community is doing exactly what you are doing, which is thinking "someone" would catch contaminated code doing bad things. Google isn't contributing all this code just for brownie points. At some point, there is a payout for them. What if it turns out to be access to certain computers or an open door into every single computer on the planet one day?
     
  12. Ap0ks macrumors 6502

    Joined:
    Aug 12, 2008
    Location:
    Cambridge, UK
    #12
    Honestly, I think you're being too paranoid. Why would Google go to the effort of putting backdoors into the V8 engine when most people are already using Chrome which would be able to hide said backdoors much easier since it's closed source?

    You need to realise that Google give away it's products for free in return for advertising opportunities, however V8 is not a Google product it's an open-source project that they just happen to be in control of. If you're really that worried check the contributors, I'm sure Intel, Opera & ARM among others don't want to be seen as putting backdoors on people's systems.

    Also if you don't have the expertise to check the source code line by line you could always look into paying a security company to verify the code for you, if it really is that much of an issue.
     
  13. Sill thread starter macrumors 6502

    Joined:
    Nov 14, 2014
    #13
    Google will put backdoors wherever they can. Obviously half the browsers out there aren't Chrome, so Google needs other access points. A "free" hotrod component that seems to be the basis for a growing list of things would be just the opportunity they need to exploit systems. According to Google "V8 is written in C++ and is used in Google Chrome, the open source browser from Google." You say its closed source. Which is it?
    I haven't been paying attention to browser stats for years so I had to verify your "most people" claim. Then I read the browser share article on Wikipedia and see that exactly half the pages served went to Chrome browsers. I really can't believe people have fallen for Chrome like that.

    Everything I read on node.js refers to it using the "Google Chrome V8 Javascript Engine", and Google's own page says "V8 is Google's open source JavaScript engine", which contradicts your statement. Also, neither the Google V8 page nor the Node.js page has any reference to the other companies you've mentioned. I think maybe you're confusing it with the Blink project, which did have input from Opera and Intel among others. I deleted Opera when I found out they switched from Presto to Blink, btw.
     
  14. Ap0ks macrumors 6502

    Joined:
    Aug 12, 2008
    Location:
    Cambridge, UK
    #14
    You don't seem to understand any of what I wrote, I even included a link that goes directly to the page of contributors showing employees of the companies mentioned being involved.

    Google Chrome is closed source but it's based on the open-source Chromium project (which Google started and continue to contribute to), and yes it is popular - all the security issues with Internet Explorer over the years meant that many were advised to switch to alternatives with Chrome being heavily mentioned.

    Incidentally what software were you looking to install? Perhaps it'd be easier if you just looked for an alternative.
     
  15. Sill thread starter macrumors 6502

    Joined:
    Nov 14, 2014
    #15
    I didn't see the link. I just looked at it now. With 139 people contributing, only 2 people from Intel, 4 from ARM, and 1 from Opera. That hardly means those companies are supporting this. Thats more like a handful of guys from those companies decided to go add some code in between Call of Duty tournaments. Most of the remaining names are from google, gmail, and chromium addresses, which means this is entirely Google.
     
  16. Ap0ks macrumors 6502

    Joined:
    Aug 12, 2008
    Location:
    Cambridge, UK
    #16
    Of course Google are going to have more contributors, they started the project and have a lot of engineers that are allowed to spend company time working on open-source code.

    I notice you still haven't mentioned the software you were wanting to install before the word Google was seen...
     
  17. Sill thread starter macrumors 6502

    Joined:
    Nov 14, 2014
    #17
    Because its not germane to the discussion. As one of the earlier posters mentioned, if the software requires Node.js I can choose between using it or writing my own to replace it. I'm not going to do the first, and I'm not technically skilled enough to do the second. I don't trust Google code, so this project is dead.
     
  18. r.harris1 macrumors 6502a

    r.harris1

    Joined:
    Feb 20, 2012
    Location:
    Denver, Colorado, USA
    #18
    That's really too bad. For no substantiated reason, you're missing out on an exceptionally vibrant community of contributors who create libraries of all sorts to solve complex problems in an elegant way. It's extraordinarily fast, robust and used by a lot of big kids (linkedIn, netflix, etc). We use it where I work (large telecom). It does not send anything to google nor is it a back door for any one. In general, the great thing about open source code is if anyone were stupid enough to do that, it would get outed almost immediately.
     
  19. Sill thread starter macrumors 6502

    Joined:
    Nov 14, 2014
    #19
    Yes, provided people were looking for it in the first place. So far, the response from everyone here has been "Someone would find it!" without ever asking if anyone had actually looked. I doubt you've looked, and I doubt anyone who has participated in this thread has looked, simply because you trust "someone" would look. Theres a few million lines of code involved in this thing, and I'm not as trusting that "someone" would have looked through all of it.
    So, my reason is very substantiated. Your trust isn't.
     
  20. r.harris1 macrumors 6502a

    r.harris1

    Joined:
    Feb 20, 2012
    Location:
    Denver, Colorado, USA
    #20
    Sorry, my bad, I thought you were a software developer. If you write software for a living like I do and deploy it in an enterprise environment, you know what goes into and out of your network. You don't need to look at millions of lines of code, but you do need to look for patterns. Enterprise security teams do this all the time, especially web based stuff. I'm reasonably certain that you haven't personally looked at the billions of lines of code in the software you "trust" either, yes? Nor has any one person looked at all of it. Not looking to change your mind, use whatever you want for whatever personal reasons or ideology you follow, but don't just assume people don't know what they're talking about. I don't follow trust so much as experience.
     
  21. brohan711 macrumors newbie

    Joined:
    Apr 10, 2012
    #21
    Google's V8 Engine is not a product that integrates with google's services.

    The code is open source and has had a lot of people scouring the code for security vulnerabilities and potentials to upgrade/ change the source code.

    The FIRST thing someone would have pointed out in the V8 engine is if it had a secret backdoor or integration dependency with googles services.

    You probably use websites and or other services which use google analytics which contains more integration to google than NodeJS itself.
     
  22. 960design, Nov 2, 2015
    Last edited: Nov 2, 2015

    960design macrumors 68000

    Joined:
    Apr 17, 2012
    Location:
    Destin, FL
    #22
    We don't have to look through a million lines of code. We just have to know how to use WireShark. Grab a book on WireShark, embrace your paranoia, just like me. Some of us have looked, some of us always look. For some of us, it's our job to look.

    But as others have said. You can only trust the code if you look through it, not what I say. If I told you I've looked through the code, you wouldn't trust me... I wouldn't trust me. I would look through the code.

    If I may, what browser are you using right now? Actually, don't answer that. It doesn't matter. You trust it and not something else. That is all that matters.
     
  23. Sill thread starter macrumors 6502

    Joined:
    Nov 14, 2014
    #23

    Let me point out a couple of errors in that assumption:

    1. I have Google Analytics blocked on my machines.

    2. Even if I didn't, there is a huge difference between Google Analytics counting my presence and actually installing code on a machine from that company that could offer anything from a back door to a daemon.
     
  24. Sill thread starter macrumors 6502

    Joined:
    Nov 14, 2014
    #24
    Ok, I'll look at WireShark.
     
  25. grahamperrin macrumors 601

    grahamperrin

    Joined:
    Jun 8, 2007
    #25
    Seeing (from another topic) that you use a Mac, you might find Little Snitch useful. On the rare occasions when I want to audit and allow or deny traffic, it's my utility of choice.

    I know, this topic is not recent, but it's good to see challenging questions about privacy and security and (unless I'm missing something) there's not yet, here, attention to methodical code review processes. From the opening post:

    There's this, smart:

    – and a glance at the sidebar of https://en.wikipedia.org/wiki/Node.js shows Joyent, a highly respected company but I should not expect @Sill to take my word on that as an answer to the question :)

    At the Node.js site I began reading about Governance, which states that the intention of Technical Steering Committee meeting agendas:

    I sped through a handful of Node.js Foundation pages at GitHub, couldn't find what I wanted so I veered back to Technical Steering Committee | Node.js with links to minutes and Contributing. A step beyond the checklist suggested by @Ap0ks

    – and within that policy, under Accepting Modifications through a Consensus Seeking Process (emphases added by me):

    Without knowing whether that working group is established:
    • @Sill, maybe read the list of TSC members alongside the Development Policy, consider whether that membership has (in the context of the policy) suitably keen eyes for potential back doors and other security issues
    • pages such as https://nodejs.org/en/blog/vulnerability/june-2016-security-releases/ may more quickly offer a 'taste' of the types of issue that are caught.
     

Share This Page