Forbes Icon Forbes

Developers don't understand CORS

Fascinating look at the underpinnings of the big Zoom vulnerability announced last week, including an excellent discussion of how a lack of understanding may have led to this huge fiasco. Author Chris Foster: What this says to me is that Zoom may have needed to get this feature out and did not understand CORS. They couldn’t make the AJAX requests without the browser disallowing the attempt. Instead, they built this image hack to work around CORS. By doing this, they opened Zoom up to a big vulnerability because not only can the Zoom website trigger operations in the native client and access the response, but every other website on the internet can too.

read more

link Icon runyourown.social

How to run a small social network site for your friends

Darius Kazemi, recent Mozilla Fellow and one of my favorite internet artists, has put together a comprehensive guide on how to run your own social network. The Mastodon instance he runs, Friend Camp, seems like one of the more fun and positive social networks around. This document exists to lay out some general principles of running a small social network site that have worked for me. These principles are related to community building more than they are related to specific technologies. This is because the big problems with social network sites are not technical: the problems are social problems related to things like policy, values, and power.

read more

DigitalOcean Icon DigitalOcean – Sponsored

Free Python machine learning projects ebook

To commemorate the 2019 PyCon conference and the worldwide Python community, Lisa Tagliaferri and Brian Boucheron from DigitalOcean have put together a free eBook of Python machine learning projects! As machine learning is increasingly leveraged to find patterns, conduct analysis, and make decisions — sometimes without final input from humans who may be impacted by these findings — it is crucial to invest in bringing more stakeholders into the fold. This book of Python projects in machine learning tries to do just that: to equip the developers of today and tomorrow with tools they can use to better understand, evaluate, and shape machine learning to help ensure that it is serving us all.

read more

logged by @logbot permalink

SQLite github.com

Sqlite To Rest

LGTM, but why? Mostly because I wanted to dig deeper into node web server code, but also because I haven’t jumped onto the NoSQL bandwagon and think that web APIs are extremely useful. The result is a modest attempt at automating the CRUD boilerplate that every developer hates, while following the specs to make API consumption intuitive. I chose sqlite to keep the database side of things simple, with the intent that the API isn’t serving heavy loads.

read more

Tobias van Schneider vanschneider.com

Content or design first?

This is a thoughtful look at the relationship between content and design, and some steps that designers can take to better work with copywriters. We all know designers and copywriters should not work in silos. We know design and copy should inform each other, rather than one being retrofitted to the other. This is especially true for UX writing, which must work in tandem with design to do its job well. Effective collaboration between design and content, however, is easier said than done. The author goes on to lay out some ideas to improve collaboration, mostly from the standpoint of the designer, but honestly I think a lot of these same ideas are important for developers. And you can extend it further by saying “don’t use placeholder copy for user generated content”.

read more

Strange Loop Icon Strange Loop – Sponsored

Observability is SUPERPOWERS for developers

Christine Yen, cofounder of Honeycomb.io, is giving a talk at Strange Loop 2019 on “Observability: Superpowers for developers.” When observability is folded into the development process itself, it represents the potential for a beautifully virtuous cycle: production stops being just where our development code runs into issues, and it becomes where part of our development process lives.

read more

logged by @logbot permalink

Nicholas Rempel blog.30hourjobs.com

Moving the world to a 4 day workweek

Is it possible to work just 4 days a week, be happier, more productive, and still make the same amount of money? That’s one of many questions Aidan Harper and other researchers at the New Economics Foundation and members of the 4 Day Week campaign are trying to solve in an effort to combat the problem of overwork, which is “leading to a crisis in mental health and well-being.” The single biggest cause of work related stress, anxiety, and depression is overwork. So much so that last year one in four of all sick days was the result of overwork — which is huge proportion of sickness caused directly by overwork. In some ways, you can look at this statistic as a massive drag on the economy. Losing that many work days is very expensive but, more importantly, it’s also a huge societal malaise. Every day people are feeling the effects of overwork and this statistic doesn’t even take into account the number of people who aren’t taking sick days but are feeling generally burnt out and are just barely getting by. To summarize — the 4 day workweek is a pragmatic response to a the problem of overwork that is leading to a crisis in mental health and wellbeing. If you’re just off the heels of the recent honest conversation about burnout on JS Party, then you’ll certainly enjoy this interview with Aidan Harper,

read more

Jonathan Leitschuh Medium

Zoom's zero day bug bounty write-up

By now you’ve probably heard about Zoom’s zero day bug that exposed 4+ million webcams to the bidding of nefarious hackers. Security researcher Jonathan Leitschuh shared the full background and details on InfoSec Write-ups: This vulnerability was originally responsibly disclosed on March 26, 2019. This initial report included a proposed description of a ‘quick fix’ Zoom could have implemented by simply changing their server logic. It took Zoom 10 days to confirm the vulnerability. The first actual meeting about how the vulnerability would be patched occurred on June 11th, 2019, only 18 days before the end of the 90-day public disclosure deadline. During this meeting, the details of the vulnerability were confirmed and Zoom’s planned solution was discussed. However… If you use Zoom or if you’ve EVER installed Zoom, read Jonathan’s write-up and take appropriate action to update Zoom or to remove the lingering web server it leaves behind. Confirm if the server is present by running lsof -i :19421 in Terminal.

read more

Michael del Castillo forbes.com

Shell invests in Ethereum

This is a really interesting usage of blockchain technology to ensure you are really getting what you think you bought. Michael del Castillo writes on Forbes.com: The fifth-largest oil and gas company in the world, valued at $262 billion, is investing an undisclosed amount in LO3, a New York startup using a modified version of the ethereum blockchain to make it easier for individuals to buy and sell locally produced energy using the existing network of power cables. While the bitcoin blockchain lets users track the flow of value without the need of banks to audit the system, LO3’s platform, called Exergy, is designed to track the flow of energy as it is added to a shared, local energy network, giving the neighbors who purchase the energy absolute certainty it really came from a windmill, a solar panel or a gerbil running on a treadmill.

read more

0:00 / 0:00