Discord runs Powershell on load to find Nvidia binaries
twitter.comFor people who want to view the post and comments without a Twitter/X account: https://nitter.poast.org/da_wamwoowam/status/182487249836352...
> this person has never programmed on windows in their lives
https://nitter.poast.org/da_wamwoowam/status/182487490957266...
How about some fucking empathy? Yes, maybe the dev isn't a windows expert, but I'd guess most devs aren't. Most people don't have the luxury of pulling in a specialist to do every little feature, nor the luxury to do a deep dive to figure the absolute correct way. Such is the reality of (commercial) software development. I don't think we need to have snarky attacks on the front page of HN for that.
I have also never programmed on Windows in my life. Seriously, not so much as a trivial script.
But I would look up the right way to find the system installation if I were writing production code, or even personal-use code, that needed to know where it was. I also wouldn't walk the filesystem looking for a program I was relying on (and assuming filenames and installation locations, but evidently not with a definitive standard location in mind). If I had to do that, I would know there was something horribly wrong with my own design. Although I should probably already be clued into that if my chat program is having to fool with GPU arcana like that.
Either some programmer has put thousands of other people's reliability and resources at risk by intentionally taking on something they're unqualified for and don't have the time to do right... or some manager has pushed somebody into that position.
If you mean that the reality of commercial software is that it's written by half-qualified people under unreasonable time pressure, why should we have "empathy" for the people who make it that way?
So what's the enterprise-quality solution for querying the GPU for the information they need?
If I search Google for "nvidia-smi.exe", one of the top results is a Stack Overflow answer with 70 upvotes, describing exactly the approach taken by the linked code.
Sounds like, at best, a great way to find obsolete copies of nvidia-smi.exe shipped with installed but inactive driver versions.
On all my Windows/Nvidia systems, the current version of nvidia-smi.exe is present in %SystemRoot%\System32.
OTOH, …\FileRepository*\nvidia-smi.exe matches anywhere from one to eight versions, dating back to 2023.
Perhaps this is only true because I use official Nvidia mechanisms (.exe installer from Nvidia Web site or Nvidia-supplied app) to install drivers, rather than Windows Update or INF install?
Incidentally, the wildcard …\FileRepository\nvdm* suggested in the Stack Overflow answer returns zero directories on my systems, as all Nvidia driver repository directories start with either nv_dispi (GeForce) or nv_dispwi (workstation).
Which makes sense, because obviously the INF file name used to generate these directory names is subject to change without notice.
In any case, per "nvidia-smi --help":
Note that the functionality of NVSMI is exposed through the NVML C-based library. See the NVIDIA developer website for more information about NVML. Python wrappers to NVML are also available. The output of NVSMI is not guaranteed to be backwards compatible; NVML and the bindings are backwards compatible. http://developer.nvidia.com/nvidia-management-library-nvml/ http://pypi.python.org/pypi/nvidia-ml-py/
From the repo:
> This is amazing. Started as a small project just for myself, it now has > 15,000 lines of code, > 600 versions published, up to 8 mio downloads per month, > 300 mio downloads overall. #1 NPM ranking for backend packages. Thank you to all who contributed to this project!
It's fair to blast Discord here, but not the library's authors. When you want "production code", maybe do better* than npm-installing a project with lifetime donations of, let's see, $624.
* Like donate, audit and upstream improvements, or build it yourself from scratch.
I don't have empathy for corporations and neither should you. Discord shows absolutely no empathy for its users anyways.
> Discord Applying Forced Arbitration - opt-out before it is too late!
> https://news.ycombinator.com/item?id=40252525
We're talking about a corporation handling our private communications, not a group of unpaid volunteers. Corporations act out of greed. That's the way capitalism works and we shouldn't pretend otherwise. Two decades ago, there were lots of empathy for the company that promised to "not be evil" and just look at how well that went. Accountability is what we should be pushing for, not empathy for those who abuse us.
The code in question supposedly gathers system information to send back to Discord. It's sensitive information gathered for Discord's own sake. Maybe, just maybe, they should be more aware of what their own code is doing at the very least when doing such things.
Whoever wrote this twitter post is irritating beyond my will of reading their rambling. Closed the window real quick.
Yeah, the real cringe here is how the Twitter user chose to communicate this
Ok this particular piece of garbage software is not the crime of the century, and we all have dirty underwear, but there is nothing about this that deserves the tiniest bit of empathy. This is not an empathy situation. This is an atrocious job full stop.
Anyone attempting, or purporting to do this job should know this, and if they don't know this, then that very fact is the unforgivable thing.
I say this as someone who has barely programmed anything for windows. I managed to make a custom version of putty for work that replaced the registry for a text file for settings, and made it lauchable to make saved sessions portable. And I managed the amazing engineering feat of producing a .exe that wraps a twain scanner library. No ui, just a cli that copies argv to the library calls. And I wrote a powershell script that talks to a device over rs232.
Thats about it. More than my mom could do but all in all essentially nothing.
The criticism of this utter shit is not elitism.
When I first had that work project to hack on putty, at first I took a look just to see if I could figure it out. I immediatly decided I could not figure it out in any reasonable time.
So I tried to hire a freelancer to do it. Pay someone who actually does this, right?
You know what they did? For $3k usd in 2005 or so? They fucking called regedit. As in they executed the regedit exe in a system call to import a text reg file. The settings are still stored in the registry, and I already knew how to run regedit to export and import .reg files. I could have done that much by just wrapping my exe in a bat file that runs regedit before launching putty, and that would have been a better engineered result than putting it in a system call, because it would be more flexible since the bat could be modified infinitely later without recompiling.
They were working on c code that already had code examples in it for working with the registry directly, and for reading and writing files, and yet when they needed to read a file to load settings, they ran an external executable that reads a file and puts the contents into the registry.
And putty actually has a fairly modular settings module! The registry stuff isn't baked in all over the place. There is a single c file that does all of the settings storage and retrieval. You can essentially swap the whole file out with anything else.
Am I some supergenius just because I knew enough to not try to do a job I didn't know how to do?
Am I a supergenius just because I was able to at least read code even if I couldn't write it, enough to see what it was doing and that it was a shit way to get the outward appearance of what I asked for?
How come you aren't completely offended and scandalized by solutions like these? What code that I rely on are you writing right now?
We do indeed all have dirty underwear but this is not a case of "not an expert". That is inexcusably misrepresenting the essence of the criticism here.
I believe they're referring to the tone of language used, which is IMHO just unnecessarily rude.
> THIS is why your software is slow. it's not "web tech" or "electron" or "JIT compilation" or any fucking sorting algorithm
> it's boneheaded _design decisions_ made to avoid doing things properly in packages with 1,600,000 weekly downloads.
> :DDDDDDDDDD this is why everyone hates nodejs developers
Yes, you can criticise a piece of software for doing something X way, but you don't have to shit on the people who made it in the process. Imagine being the person who implemented this waking up and seeing that.
They deserve all of it.
The entire point everyone is making is that this ISN'T about some fine point. This is a completely stupid approach. It should offend anyone on first sight or thought. There is no valid way to think up this idea for this way to get this result, and not immediately discard it as ridiculous.
If you're brainstorming initially for possible ways to get from your house to the one across the street, sure maybe one of the possible ways is to give yourself some minor injury, call an ambulance, go to the hospital, and then give them the other address when they take you back home (setting aside thatthey don't take you back home, let's pretend they do). But you don't actually do it. You reject that idea as outlandish and crazy.
Even IF it worked fine. Maybe you can't actually successfully get an ambulance to function as a taxi, but Uber will just fine. It would outwardly function just fine to call uber to take from one address to another. Yet you still do not use that approach to that problem. You consider it for one second and conclude that that would be outlandish and crazy. Just utterly gross and stupid and fucking inexcusably so.
hi op here, there's a bit to this that's missing
the bit about web tech and electron is a direct response to a common criticism i see about software written with these frameworks, they have a reputation for being slow and bloated and from experience i know it doesn't have to be that way, what makes web apps bloated and slow is usually poor design choices. the point i was trying to get across here is that this code written this way would've been slow if it was C too, it's not always about the tech stack. same goes for the comments about nodejs, i love node, but some of the packages in the ecosystem really let it down, and it means node devs get a bad wrap.
i know my general tone isn't great, i do feel for the package maintainer and tried to get in touch to get ahead of this but didn't find a way to do so. though in my defence, this is far from the first time i've tweeted about discord bogging down a system and 99.9% of the time they've gone nowhere, let alone reached hackernews, i've never had "a platform" so i've never had the need to worry about things like this before, it's something i've noted for the future, so i hope that makes things a little more understandable.
> i love node, but some of the packages in the ecosystem really let it down, and it means node devs get a bad wrap.
I think you'll find that for any environment that promotes package use and has a large following, I don't think its down to inheritably down to something node is doing wrong.
> so i've never had the need to worry about things like this before, it's something i've noted for the future, so i hope that makes things a little more understandable.
part of the reason I left Twitter (or X now?), Mastodon, Threads etc. The platforms promote people posting things without thinking them through first and you never know what's going to come bite you in the arse later.
Honestly I think your tone was fine. People need to get over themselves because you said nothing wrong. If someone does something stupid I wholeheartedly believe they should be called out for doing something stupid. It’s how we learn
Not condoning the method, but I can take a good guess as to what they're doing: They're trying to find out how many NVENC streams are in use on the card / whether any are free
Which isn't important for general use but is relevant if you're screen sharing/streaming your display
In other words: Discord uses a third party library to gather system information. On Windows, that library uses some logic that can fallback to PowerShell to gather information.
https://www.npmjs.com/package/systeminformation
https://github.com/sebhildebrandt/systeminformation/blob/mas...
https://github.com/sebhildebrandt/systeminformation/blob/mas...
This is why I run everything possible in the browser. Discord, teams, zoom, outlook, etc. It also makes switching computers and operating systems a breeze. Not that I switch often, but I like to remain platform agnostic.
Browsers are a platform too
Other than features specific to a given browser—-which seem to be more uncommon as a user than as a developer—-how can browsers lock you in in anywhere near the way a standalone application can?
WebHID comes to mind
Yes. As I said, there certainly are APIs which are only supported by a certain browser or family of browsers. I just don’t think avoiding vendor lock-in for browsers is anywhere remotely as difficult as it is with operating systems. Admittedly, I’m a web developer and don’t do native development. However, I frequently run into applications which don’t support macOS or Linux, whereas I very rarely run into sites—especially for everyday tasks—which don’t work on Safari or Firefox.
They are a platform that can nest into other platforms.
For those who don't want to piece together things from twitter, the summary is this:
Discord attempts to find nvidia-smi libraries by launching series of powershell scripts. Those scripts are really terrible with a lot of if-else logic based on hardcoded strings and environment variables. They are also apparently fairly slow and scan over 800 directories.
Honestly, this is just yet another example of Discord not really developing their software well security-wise.
Another example bad security example: 2FA implementation is not really that secure since you can continuously ask for backup codes to be sent to your email which you presumably open frequently on the same PC (there is already automated malware that will abuse this and circumvent your 2FA via newly generated backup codes).
Yet another terrible implementation: QR codes. There are rampant phishing attempts that work fairly well because they trick people into accepting invite to some discord server. Once you are in it then you are presented with a "anti-spam/anti-bot" verification check which asks you to scan and confirm a QR code. Little do majority of people know is that it is a login QR code and once you scan that then the hackers will just take over your account in less than a second as all this stuff is easily automated already.
>>automated malware that will abuse this How does this happen? Is it that the malware reads the contents of the email on the pc?
Regarding the QR code vulnerability, how do you know if you are scanning a harmful QR code?
Can you explain more about this QR code scam?
My understanding (which may be incorrect) is this:
On the login page of the web version of Discord, you have the option to log in in two ways: either by using a username/password combination, or by scanning a QR code with the Discord app on your mobile.
The QR code is linked to your desktop session, and scanning the QR code with a mobile device will cause Discord to authenticate the desktop session with the credentials stored on the mobile.
Thus, if the attackers take one of the QR codes from their own desktop session and give it to you, scanning it will authenticate their desktop session with your credentials.
The QR codes have a rotating code that's meant to prevent old QR codes from being used, but that only means that the attackers just need to re-request the QR code every so often and show the new one.
If I'm reading GP right: there is a QR code displayed prominently on Discord login screen, which is an image. Opening the link on a phone that is also logged into Discord skips everything and completes login process. That QR code can be sent to a victim under false pretense for account takeover?
Waiting for all of those “security professionals” to flame you that were here a few weeks ago when CS shit the bed lol.
The linked tweet says nothing about Nvidia binaries, how was that determined?
It's below on the thread, see: https://threadreaderapp.com/thread/1824872498363523537.html
Honesty I wished every HN post linking to Twitter was just changed to a threadreader link because otherwise only registered Twitter users can see the content being posted.
I agree a million times. Specially because if you aren't seeing things happen live or semi-live (couple days of delay) there's a huge risk the entire thing will be gone when you go check it out (or have it flooded with memes, drama and general nonsense making it a headache to parse the relevant bits).
Twitter is just really bad for persistent information. In a perfect world we'd have articles filtering the massive noise-to-data ratio and serving as a persistent archive of whatever happened in there.
Oh, thanks. I didn’t realize there’s context that can’t be seen if I don’t have an twitter account.
It's been so since Musk tried to stop the hemorrhage that occurred after his takeover.
Couldn't that kill threadreaderapps bandwidth?
HN isn't that big and threadreader is quite popular already. If anything it would increase their revenues and I'm pretty sure they would be happy about that.
Can barely see the tweet without an account. I wonder when that's going to require an account as well.
It’s searching for nvidia-smi binaries, which is a glorified status monitor for NVIDIA GPUs. Presumably to do nothing more than figure out what driver version you are running..
(The powershell bit seems to be used for something else however, so that’s just ancillary stupidity)
I mean, what do you expect? If you took all the software engineers on this site and assigned them to develop that feature, how many would be able to do it better? I imagine most won’t be able to even begin without spending a lot of time studying the subject matter. I hardly know any Powershell at all, let alone the better more correct Windowsy way to do it.
Only the more experienced Windows app developers would get it right. How many of those are there in the world? How many are working at Discord?
Most likely some dev who was not a super Windows expert was assigned this task, and figured out how to do it using the tools that they already had the most familiarity with. In this case that was Powershell.
This is what most of us do every single time we code. We prioritize getting a solution that achieves the desired result, which this does. We prioritize getting it done quickly, which means using familiar tools instead of spending a bunch of time learning something new. We prioritize passing tests, which this probably does. Performance is not a priority at most places until it becomes so bad that it’s extremely noticeable. Discord on Windows is most often used on powerful gaming PCs that won’t notice this inefficiency.
That said, now that someone so kindly pointed out the issue, maybe Discord will fix it. Or maybe not. If it’s not a bugfix, or a new feature, or a security patch, why would they prioritize it?
> I imagine most won’t be able to even begin without spending a lot of time studying the subject matter.
And that's the correct approach. Whenever I pick a task, I make sure I either know the matter in question or need to study it - in which case I inform my co-workers and especially the Tech Lead this needs to be taken into account.
Frankly, even if it was an internal piece of software used just by a few hundred/thousand people, I would be ashamed of doing it this way because I would be afraid it could have negative impact on my career in this organization.
The code to find the binaries is very clearly Javascript, not Powershell
From: https://x.com/da_wamwoowam/status/1824874909572665735
`readdirSync`, `statSync` are from https://nodejs.org/api/fs.html