Every time there is another JWS/JWT vulnerability involving “alg“:“none” (like today, lolsob), people focus on the “none” part. But the real problem is the “alg” part.

source: white

War dial hotel WiFi login... Room number and last name login.

source: cox

Original is 53(!) tweets: https://twitter.com/Foone/status/1156392702725902336

And then after VGA we get more serial buses, and USB, and all sorts of stuff.

source: white

last week i got to witness an engineering department lose a full day’s work because if you put an emoji in a git commit message, Atlassian Bamboo chokes on it forever and you’re forced to rebase master, like you should NEVER DO.

source: grugq

in my info on GitHub. Makes it easy to spot automated emails (and it’s also fun to see UIs importing the data breaking)

source: grugq

Excellent NASEM study (also has refs for futher reading): https://www.nap.edu/catalog/25120/securing-the-vote-protecting-american-democracy

On Software Independence: https://people.csail.mit.edu/rivest/RivestWack-OnTheNotionOfSoftwareIndependenceInVotingSystems.pdf

Gentle intro to Risk Limiting Audits: https://www.stat.berkeley.edu/~stark/Preprints/gentle12.pdf

My own thoughts: https://www.mattblaze.org/papers/blaze-govtreform-20171129.pdf

“Can the reader say what two numbers multiplied together will produce the number 8616460799? I think it unlikely that anyone but myself will ever know”

-William S Jevons, The Principles of Science, 1874

source: green

/////// Initialize data structures \\\\\\\
Init();

Never comment your code. Problem solved.

You weep over the side channel attacks and you curse Intel. You have the luxury of not knowing what I know; that speculative execution, while dangerous, probably saves cores. And my optimizations, while grotesque and incomprehensible to you, save cores. You don’t want in order execution because deep down in places you don’t talk about at parties, you want the most instructions per cycle.

node.innerText += 1 doesn’t work (0 → 01 → 011 → ⋯), but node.innerText -= -1 works fine (0 → 1 → 2 → ⋯)

is the last thing you hear when the robots come for you

source: ML

Today I noticed that it put 42,471 files in ~/Library/Caches. 41% of all cache files on my machine are from that one launch. The resource consumption of modern programming tools is just reckless.

Time to the first reply literally beginning with the words “who cares“: about one hour.

1. LESS/FEWER. This one is really embarrassing. You may think pointing out the difference between these two at every opportunity makes you CLEVER and INTERESTING. In fact, it makes you TEDIOUS.

My understanding is that “find my iPhone” has measurably reduced phone robberies. This escalation was probably inevitable, but it seems like the feature could probably be engineered to make it more difficult for thieves to force a victim to disable it on the spot.

In order to relieve, in some degree, this anomaly in American railroading, we present the following table of local time, compared with that of Washington, D.C.

I’ve always felt the problem with timezones is that there simply aren’t enough of them.

source: grugq

QuickBooks starts so fast that it’s visible in the menu bar before my eyes can get up there. That means that I don’t see the menu bar change, which makes me think that it hasn’t actually finished launching yet. This shows how much I’ve become used to the slowness of web apps.

They tried to do the standard “tech” thing, which is to dumb it down to the lowest common denominator. It failed due to backlash, but only because there’s a huge user base with decades of time using it. New tools don’t have the benefit of that backlash. I’m looking at you, Slack!

Getting started in QuickBooks is annoying and slow. Likewise Vim, Emacs, any Unix shell, or OmniFocus. But if you need these tools then you’ll probably use them for decades. You do a disservice by valuing a 4-hour learning curve in a tool that you’ll spend 20,000 hours in.

Every time I think I’ve seen the worst of the bad behavior by CAs, I find a new low.

Alas, few details.

As you can see, the straws are perfectly secure.

Well that’s without doubt the most terrifying warning I’ve received on a terminal.

An npm module named husky destructively added pre- and post-commit hooks to my dotfiles repo (literally ~/.git!). Or maybe some other module told it to do that. I never asked for that. I don’t understand why the JavaScript tool ecosystem is like this!

You know what they say, you install someone’s code on your computer, it’s their computer now.