It takes 5 minutes in their Discord channel to see the founders are D&D nerds, not competent engineers. It was never meant for serious work.
I know absolutely nothing about Obsidian but I'd expect quite a few competent engineers to also be D&D nerds no!?
Are you saying the two are mutually exclusive?
The two are not mutually exclusive. What would you trust more than a nerd? A jock? A spod? An MBA?
Any evidence of other examples if bad engineering you can point to, or are your thoughts on the pluggin system and throwing shade at random groups of people all you've got?
[FYI: I know little of obsidian other than planning to look into it at some point as people I know use and like it. I stepped into this set of comments in case there was something useful I should be passing on to those people]
Anyway, What I like about obsidian is that it can handle a truly huge amount of notes without slowing down, and the notes are just markdown files on disk, so there's no lock in. I have used evernote, ms one note and zoho notebook before, and had issues with all of them.
slowmover•1h ago
Obsidian has the proper protections in place to prevent this type of attack, and the victims are being convinced to ignore them. This is just a successful social engineering event. I hate to see Obsidian dragged down by this headline, since this attack is not exploiting a vulnerability in it or its plugin system.
cmbailey•1h ago
I think the value of this disclosure is more in spreading awareness about plugins, and demonstrating the vector. Where less sophisticated users may think, "Oh, this is just a collection of markdown files. I don't need to be too worried about malicious code."
Groxx•1h ago
>Due to technical limitations, Obsidian cannot reliably restrict plugins to specific permissions or access levels. This means that plugins will inherit Obsidian's access levels. As a result, consider the following examples of what community plugins can do:
Obsidian has no protection at all. Installing a plugin gives it full access to your computer.This was only a matter of time, and honestly I think it's inexcusably negligent that they shipped a plugin system like this at all since about 2010 (or arguably much earlier).
pointlessone•1h ago
Groxx•50m ago
kid64•46m ago
Folks will reply "but I use it every day without plugins".
That position disregards software usability as a formal discipline, along with decades of UX research and standards.
ImPostingOnHN•43m ago
kid64•34m ago
Loocid•31m ago
Barrin92•28m ago
This combination of software relying on third parties without security seems to be untenable. Personally I've gotten rid of just about as many extensions as I can anywhere and switched to batteries included software.
[1]https://news.ycombinator.com/item?id=45307242
moron4hire•35m ago
Paul-E•20m ago