While high-profile figures like Mark Zuckerberg are known for making stealthy real-estate buys, some of the most extreme secrecy measures are demanded by people you’ve never heard of. “Sometimes I want to say, ‘Nobody cares!’” said Compass real-estate agent Cindy Scholz, of New York.

The client wouldn’t send his financial documents because of Mr. Swierczewski’s laptop software. “He hated Windows,” said Mr. Swierczewski, who agreed to install a Linux operating system. It took two days to get it work, forcing Mr. Swierczewski to cancel appointments. “I almost threw my computer at the wall,” he said.

You get faster at anything with repetition. Maybe you don’t solve any particular kind of problem often enough to be fluent at solving it. If someone can solve a problem by quickly typing a one-liner in a shell, maybe they are clever, or maybe their job is repetitive. Or maybe both: maybe they’ve found a way to make semi-repetitive tasks repetitive enough to automate. One way to become more productive is to split semi-repetitive tasks into more creative and more repetitive parts.

source: L

Doing less work goes a long way towards being faster.

Exploration of HTTP security and other non-typical headers

Just one more header and we’ll keep the privacy from leaking out. Just one more, I promise!

A case study of JavaScriptCore and CVE-2016-4622.

When programming in Ruby many people think that egregious memory usage is the norm and unavoidable. However, there are ways and strategies to keep memory usage down and in this post I will show you some of them.

source: L

Sometimes I toy with a “portfolio” theory of politics, namely that if your city or region’s core sector is quite capitalistic, your city’s politics will be fairly left-wing as a kind of expressive recompense against daily life.

source: MR

The OAuth 2.0 protocol itself is insecure. The document specifies some security measures that are optional (which boils down to missing for the casual developer). Apart from that, there are additional loopholes as well.

source: solar

This is kind of rambling, but interesting, and I liked this line.

You already heard that story a million times, with a million players. The cliche is that guys go broke buying Ferraris or whatever. Listen, it takes a long time to go broke buying Ferraris.

source: DF

How, who, and when mobile updates are delivered.

source: grugq

Fuzzing is sort of a superpower for locating vulnerabilities and other software defects, but it is often used to find problems baked deeply into already-deployed code. Fuzzing should be done earlier, and moreover developers should spend some effort making their code more amenable to being fuzzed.

This post is a non-comprehensive, non-orthogonal list of ways that you can write code that fuzzes better. Throughout, I’ll use “fuzzer” to refer to basically any kind of randomized test-case generator, whether mutation-based (afl, libFuzzer, etc.) or generative (jsfunfuzz, Csmith, etc.). Not all advice will apply to every situation, but a lot of it is sound software engineering advice in general. I’ve bold-faced a few points that I think are particularly important.

Belt and suspenders. If it’s not supposed to be null, check for null.

source: grugq

Three approaches.

This opinion is a contender for the most interesting Section 230 ruling of 2017. It deals with the troubling situation of user-to-user online drug sales; it discusses the thorny language of what it means to “develop in part” content; it decisively rejects the latest anti-Section 230 theory that data mining and targeted content recommendations somehow foreclose the immunity; it emphatically rejects a “failure to warn” workaround to Section 230; and the judge embraces Internet exceptionalism. My apologies for the length of this blog post, but there is a lot to unpack in this opinion. If you’re a Section 230 enthusiast, this case deserves your careful attention.

For small examples, this looks like a lot of boilerplate and obfuscation just to avoid a switch or two, but maybe it helps keep some larger state machines sane.

Another post: https://nblumhardt.com/2016/11/stateless-30/

Boiled scrambled eggs. What will they think of next?

capsicumizer is a sandbox launcher that imposes Capsicum capability mode onto an unsuspecting program, allowing “sysadmin style” or “oblivious” sandboxing (i.e. no source code modifications, all restrictions added externally).

source: Dfly

Not only does Google, the world’s preeminent index of information, tell its users that caramelizing onions takes “about 5 minutes”—it pulls that information from an article whose entire point was to tell people exactly the opposite. A block of text from the Times that I had published as a quote, to illustrate how it was a lie, had been extracted by the algorithm as the authoritative truth on the subject.

Teaching the controversy. The danger of refuting misinformation is Google only wants to read the first half of any article.

UPDATE: At some point after this post was published, Google stopped promoting “about 5 minutes” as the correct answer

Manual process at work?

source: DF

Most modern programming languages have a function somewhere in their standard library for splitting strings.

What should it return?

source: L

That is, if you add a small number to a large number then if the small number is “too small” then the large number may (in the default/sane round-to-nearest mode) stay at the same value.

Because of this the loop spins endlessly and the push command runs until the array hits the size limits. If there were no size limits then the push command would keep running until the entire machine ran out of memory, so, yay?