Tobie Langel, Open source strategist and Principal at UnlockOpen, joins Chris, Feross, and Amal to discuss recent widespread incidents affecting the JavaScript community (and breaking CI builds) around the globe. Two widely used npm libraries were self-sabotaged by their single maintainer, yet again, highlighting the many gaps in our OSS supply chain security, sustainability and overall practices. We explore all these topics and solution on what our ecosystem needs to be more resilient to these types of attacks in the future.

Matched from the episode's transcript 👇

This week we’re joined by the “mad scientist” himself, Feross Aboukhadijeh…and we’re talking about the launch of Socket — the next big thing in the fight to secure and protect the open source supply chain.

While working on the frontlines of open source, Feross and team have witnessed firsthand how supply chain attacks have swept across the software community and have damaged the trust in open source. Socket turns the problem of securing open source software on its head, and asks…“What if we assume all open source may be malicious?” So, they built a system that proactively detects indicators of compromised open source packages and brings awareness to teams in real-time. We cover the whys, the hows, and what’s next for this ambitious and very much needed project.

Matched from the episode's transcript 👇

Angelica is joined by Cameron Balahan, Sameer Ajmani & Russ Cox from the Go Team at Google to talk about how things get done on the Go Team, how do they decide what to improve and then how do they go about improving it. We also discuss how they decide what to work when & what the future of Go might look like.

Matched from the episode's transcript 👇

This news is a few weeks old now, but I’ve been tracking the ups and downs of the crypto markets for a while now — especially after we had those crazy highs in Q4 2017. Everyone was rushing to get theirs and loose it — after-all, it’s so simple to get in, right?!

Of course, putting some effort into mining Bitcoin or Ethereum isn’t a bad thing, but c’mon, dropping all of your savings into the Bitcoin bucket is not a smart move. Tread carefully.

Our 4th annual year-end wrap-up episode! We don’t naval gaze often, but when we do… we make sure you get your money’s worth. Reflections, most popular episodes, our favs, and new this year: listener voice mails. Thanks for listening! 💚

Matched from the episode's transcript 👇

Bloomberg is citing a sell-off of Bitcoin, Ether, and dozens of smaller digital tokens. The “crypto exodus” is happening due to a “sense of panic” hitting crypto investors. It’s been a brutal August for Bitcoin and Ether, with Bitcoin touching below $6,000.

“The big story in the market today is the huge weakness in Ethereum,” Timothy Tam, chief executive officer of CoinFi said in a phone interview — “Bitcoin has held up relatively well versus Ethereum. It’s still quite weak versus the U.S. dollar.”

While cryptocurrencies rallied in July on hopes that a Bitcoin-backed exchange-traded fund would attract new investors, U.S. regulators have yet to sign off on multiple proposals for such a product. The letdown has coincided with growing concern that entrepreneurs who raised crypto-denominated funds via initial coin offerings (ICO) are now cashing out of holdings such as Ether, the token for the Ethereum blockchain that is a popular platform for crypto projects.

What do you think? Are you selling, buying, or holding?

(If you haven’t heard of Crypto Kitties, it’s silly internet game built as a dApp that got popular enough to clog Ethereum’s network over the past few weeks.)

This is a deep-dive in to Crypto Kitties’ smart contracts to learn (and try to change) how the kitties’ genes are determined. Utterly fascinating stuff.

Hummingbot integrates cryptocurrency trading on both centralized exchanges and decentralized protocols. It allows users to run a client that executes customized, automated trading strategies for cryptocurrencies.

We created Hummingbot to promote decentralized market-making: enabling members of the community to contribute to the liquidity and trading efficiency in cryptocurrency markets.

There are many arbitrage opportunities between centralized exchanges like Coinbase and Binance (which often have high liquidity) and decentralized exchanges like Loopring and Terra (which thus far rarely have high liquidity).

If you have the financial stomach for it, Hummingbot could help you take advantage of these opportunities while providing liquidity to the decentralized markets.

Bloomberg reports on a concerning new trend in tech hiring, Sean Goedecke has a lot to say about large established codebases, Jacob Bartlett thinks Apple is ruining Swift’s original vision, Ahmed Khaleel built a cool tool for turning GitHub repos into interactive diagrams & Bridget Harris goes deep on the potential of crypto stablecoins to disrupt Visa and Mastercard’s duopoly.

The 3 Musketeers return! Filippo Valsorda, Roland Shoemaker & Nicola Murino continue their deep-dive conversation with Natalie about Go’s crypto libraries.

Also listen to Part 1 and Part 2!

Filippo Valsorda & Roland Shoemaker from the Go Team return & bring Nicola Murino with them to continue catching us up on what’s new in Go’s crypto libraries.

This is everything we didn’t cover + deep dives from Part 1!

Filippo Valsorda & Roland Shoemaker from the Go Team sit down with Natalie to catch us up on what’s new in Go’s crypto libraries. No, not that crypto… good ol’ cryptography! Don’t miss Part 2!

Matias Pan is a Staff Software Engineer at Lemon Cash, a crypto startup based in Argentina. Lemon infrastructure runs digital wallets & physical cards, which technically makes them a bank. How does Matias & his team think about enabling developers get code from their workstations into production? Remember, we are talking about a bank - a bad deploy is a big deal. And when a bad database migration goes out, what happens then?

Avi Lumelsky shares his journey finding and reporting databases with sensitive data about Fortune-500 companies, hospitals, crypto platforms, startups during due diligence, and more.

His major entry point: misconfiguration

This bold statement starts a long Twitter thread by Brantly Millegan:

“Sign-In w/ Ethereum” is the future of login for every app on the Internet, crypto-related or not. Not just an idea, it’s already the norm for web3 & will spread.

This idea was the most interesting/exciting thing for me that came out of our NFT talk with Mikeal Rogers. Could cryptocurrency be the carrot that attracts the masses to obtain a public/private key pair and be financially incentivized to secure it? If so, this makes for a far superior global identity system to anything previous.

For this to happen, I think mainstream browsers will have to build crypto wallets into them. Plugins and extensions like MetaMask are probably asking too much of people. What do you think? Feasible? Likely? Why or why not?

The NFT Canon is a go-to resource for artists and creators, developers, corporations and institutions, communities and other organizations seeking to understand or do more with non-fungible tokens.

It’s a curated list of readings and resources on all things NFTs (inspired by the a16z Crypto Canon), and is organized from the big picture of what NFTs are and why they matter, to how to mint, collect, and do more with them — including various applications such as art, music, gaming, social tokens, and others.

We will continue to update this as more people try out new things, share their work, or publish resources for learning about NFTs. If you have suggestions for quality pieces to add, let us know @a16z.

A good resource and primer for our upcoming NFT episode of The Changelog with Mikeal Rogers.

Why do something like this? For the fun of it, mostly. Definitely not for this reason:

By creating a crypto trading bot that buys bitcoin every time the Tesla boss tweets about it you can rest assured that you are going to catch a VIP seat on the rocket that will slingshot right past the moon and make its way directly to Mars, where Elon spends most of the summer months due to its cold weather and dry climate.

Lulz aside, I love posts like this because they demonstrate how someone tied together a bunch of disparate things (Twitter API, trading API, regular expressions, etc.) to accomplish a real thing, no matter how silly/foolish that real thing is.

Also check out part 2 where he adds sentiment analysis. (Although, it’s hard for me –a human– to decipher Elon Musk’s tweets, so the results of said analysis are probably no better than flipping a coin.)

We are in a time where the open source tooling and developer story around Apple’s new M1 chip is all over our feeds. Among these was this interesting benchmark. It even highlights where a somewhat older Intel can still beat the M1, such as highly optimized crypto. In general, if your code relies on the Go parts more than native optimized code the M1 looks like a performance win.

Utku Sen:

In the information security field, we have developed lots of thoughts that can’t be discussed (or rarely discussed):

• Never roll your own crypto
• Always use TLS
• Security by obscurity is bad

I certainly learned these in my Infosec classes in college. Back then I didn’t really question it much, because what did I know? But I definitely remember thinking, “Okay security by obscurity is bad, but maybe why not do it anyway? Defense in depth, right?” Back to Utku:

Most of them are very generally correct. However, I started to think that people are telling those because everyone is telling them. And, most of the people are actually not thinking about exceptional cases. In this post, I will raise my objection against the idea of “Security by obscurity is bad”.

After announcing the program in a tweet, Jack Dorsey followed up with some details:

This will be Square’s first open source initiative independent of our business objectives. These folks will focus entirely on what’s best for the crypto community and individual economic empowerment, not on Square’s commercial interests. All resulting work will be open and free.

Followed by:

Square has taken a lot from the open source community to get us here. We haven’t given enough back. This is a small way to give back, and one that’s aligned with our broader interests: a more accessible global financial system for the internet.

Whether you’re a devout Bitcoin hodler or an avid nocoiner, you have to admit this a great way (the greatest?) for corporate entities to support the open source community. Full-time salaries. Not focused on commercial interests.

Let’s hope it plays out that way! 🙏

Efail caused a panic at the disco:

… some researchers in Europe published a paper with the bombshell title “Efail: Breaking S/MIME and OpenPGP Email Encryption using Exfiltration Channels.” There were a lot of researchers on that team but in the hours after release Sebastian Schinzel took the point on Twitter for the group.

Oh, my, did the email crypto world blow up. The following are some thoughts that have benefited from a few days for things to settle.

Lots of interesting insights here, perhaps most controversially how the EFF’s handling of the situation may have done more harm than good in the author’s opinion. Also:

we could stand to have a renewed appreciation for OpenPGP’s importance to not just email crypto, but the global economy.

I can say I definitely have more appreciation for it after reading this than I did before. I hadn’t thought about its influence (which is huge) outside of encrypted email.

For Stripe, Bitcoin isn’t scaling well to make it “useful for payments,” and it’s expensive in both time and money to process transactions. However, Tom Karlo said “Bitcoin has evolved to become better-suited as an asset rather than a means of exchange.”

A line in the sand has been drawn for Bitcoin as a useful payment currency.

Therefore, starting today, we are winding down support for Bitcoin payments. Over the next three months we will work with affected Stripe users to ensure a smooth transition before we stop processing Bitcoin transactions on April 23, 2018.

Clearly the value of Bitcoin is still there as an asset. It’s just not working out (for Stripe) as a means of exchange for payments. Though they remain optimistic.

Despite this, we remain very optimistic about cryptocurrencies overall.

Tom also provided some insights to where things are heading for crypto and payments.

We may add support for Stellar (to which we provided seed funding) if substantive use continues to grow. It’s possible that Bitcoin Cash, Litecoin, or another Bitcoin variant, will find a way to achieve significant popularity while keeping settlement times and transaction fees very low.

Crypto markets are still in their infancy and analysis tooling is limited. This seems like a cause that is ripe for the open source community to help solve. Until then, here’s a Google Sheets hack to get you 80% of the way there.

Chris Beams joins the show to talk about Bisq, the P2P decentralized Bitcoin exchange and open-source desktop application that allows you to buy and sell bitcoins in exchange for national currencies, or alternative crypto currencies. We get some background on the issues faced by crypto exchanges like CoinBase, and the now defunkt Mt. Gox. We discuss whether or not Bitcoin is a censorship resistant payment system and what it means to have anonymous transaction currency options. Bisq also has an interesting white paper about its own DAO (Decentralized Autonomous Organization) to support its contributors and we discuss that in detail at the end of the episode.

Before we talk about otr.js, we have to talk about crypto in JavaScript. It’s important to discuss issues with cryptography, because bugs are much more severe than in ‘normal’ code. If your Rails app has a bug, maybe some emails don’t get sent out. If your crypto has a flow, your secrets are all wide open.

So, before discussing a JavaScript crypto library, I must point you to the first line of the README:

This library hasn't been properly vetted by security researchers. Do not use in life and death situations!

Furthermore, for more on the issues of crypto and JavaScript specifically, I refer you to this post by Matasano Security, whose opinions I trust when it comes to security.

Okay, now that we’ve got that out of the way, let’s talk about otr.js! OTR is a protocol which allows you to have private conversations over IM. As you may guess, otr.js is an implementation of this protocol in JavaScript.

There’s a lot of setup required, so please read the README, but once you’ve got it set up, it’s pretty easy to use:

var newmsg = "Message to userA."
buddy.sendMsg(newmsg)

Not that hard, right? There’s a ton of different options, though they are pretty well-documented. What is odd though, is that apparently messages aren’t encrypted at first; you must call

buddy.sendQueryMsg()

to make that happen. I believe this is because the OTR protocol itself allows for unencrypted messages, and otr.js seems to be a lower-level library that others will build upon, rather than something you’d use directly.

Drew Wilson is back! It’s been more than a decade since Adam and Drew have spoken and wow, Drew has been busy. He built Plasso and got acquired by GoDaddy. He built a bank called Letter which didn’t work out…and now he’s Head of Design at Clerk and back to chasing that next big thing.

Matched from the episode's transcript 👇

Anthony Eden, Founder & CEO of DNSimple, joins the show to talk about the world of managed hosting for DNS and more.

Matched from the episode's transcript 👇

Anurag Goel, Founder/CEO of Render, joins Adam to discuss what they’re doing to solve cloud problems for application developers. They just raised $80M they don’t even need and they’re poised to solve boring problems like object storage, and less boring things like building for the AI era.

Matched from the episode's transcript 👇

Jerod is joined by Hack Clubber Acon, who is fresh off the GitHub Universe stage and ready to tell us all about High Seas, a new initiative by Zach Latta and the Hack Club crew that’s incentivizing teens to build cool personal projects by giving away free stuff.

Matched from the episode's transcript 👇

Nick Sweeting joins Adam and Jerod to talk about the importance of archiving digital content, his work on ArchiveBox to make it easier, the challenges faced by Archive.org and the Wayback Machine, and the need for both centralized and distributed archiving solutions.

Matched from the episode's transcript 👇