Spam making it through my spam filter now includes invitations to join the illuminati and offers to sell large volumes of crude oil, and this is not the 2021 I expected, but it probably should have been

I honestly have more anxiety going to doctors over being fat than I do from being trans. (Though if I wasn't fat, then any symptom I had would be somehow blamed on hormones, so its a layer cake of dismissal.)

---
RT @sa_vvy_
this is what we mean when we say fatphobia kills people. good morning. twitter.com/ffigurefbust/statu
twitter.com/sa_vvy_/status/136

And you get the full range of tools... go ahead, attach a runtime debugger to the process. Or dtrace/strace the system calls. Or record network activity to see what it's ACTUALLY sending over the wire.

Show thread

Expensive if you have every dev have their own cloud resources. Unscalable if you don't and devs have to share.

With everything running locally it's easier to isolate just the thing you want to test.

Show thread

If you can't try changes out locally without involving cloud services you're setting yourself up for a time consuming and either expensive or unscalable debugging experience.

Show thread

If there is one lesson I can impart to devs growing up in the cloud computing era: When you encounter a bug, try to reproduce it locally first. No, staging doesn't count.

We ourselves, much like our AI tools, are correlation engines. In theory, we've learned that's not enough for our own decision making, yet we lose sight of this when we put that same behavior into a machine.

Show thread

Honestly, this might actually be exposing biases in regular job interviews. I would entirely believe that people would rate someone with a bookshelf behind them higher on targets like these.
---
RT @hatr
Colleagues of mine analyzed A.I.-based job interviews. The software promises to be able to detect personality traits and be "faster, but also more objective". Turns out: Just placing a bookshelf in the background, changes the results signific…
twitter.com/hatr/status/136175

I catch myself rewriting all of my "we should do x" statements into "I feel we should do x" statements and slap my own wrist, and then proceed to post them that way anyway. 🤷‍♀️

This merging of version data from streams, one trusted, one untrusted set people up for this outcome. If you just said "a given package name can only come from one stream" you would be invulnerable to this attack.

Show thread

The single authority problem is just not a great restriction to add to your systems. Especially when its unnecessary. The real problem is that package managers and artifact repos were taking versions from multiple sources FOR THE SAME PACKAGE.
---
RT @bradleymeck
There is a claim that verified users / namespaces solves this ( blog.sonatype.com/why-namespac ); I would agree that it s…
twitter.com/bradleymeck/status

I put FRED the Framework macro language on my first resume, 'cause I wanted to show that I was good lil programmer who'd sought out lotsa languages to learn. preeeetty sure no one cared, lol

Show thread

oh my goood, it's only the thing I wished I had in a spreadsheet since I first used one in uh... Framework III
---
RT @msexcel
Excel keeps evolving to give users even more. Now, with the power of LAMBDA, you can write your own reusable functions with the Excel formula language. See how we're transforming Excel: msft.it/6014pF2Oa
twitter.com/msexcel/status/135

For clients, well with Python it's "please stop taking out the footgun and shooting yourself". npm doesn't provide one, so you have to construct your own footgun, deploy it, then discharge it, but there are private registry companies happy to provide footguns prebuilt.

Show thread

It's an honestly impressive response and testament to the registries that did manage to notice and mitigate this on their own. Imperfect, but as a service, the most that they could do.

Show thread

One of the more interesting details to this is response from the registry teams. npm caught and was deleting the attacks promptly, and only kept them up after discussing them with the researcher. Pypi also caught and removed them (and declined to keep them up). Others did not.
---
RT @hmemcpy
Holy. Effin. Shit. bleepingcomputer.com/news/secu
twitter.com/hmemcpy/status/135

Signing will not save you. Signing will not save you. I'm sorry, but signing will not save you. Sometimes I think it's the only security measure some devs have ever heard of, so they think it'll solve all their problems and bring them flowers.

This @jfrog article is some serious aversion to taking responsibility. The npm registry can't insist that you don't do main namespace merges. Azure Artifacts no longer does, w/o npm's help. IIRC npm enterprise didn't either. Y'all chose this. Own it.
---
RT @wesleytodd
@i_a_r_n_a I honestly think folks just did not take it seriously because "we have scopes" and "we have exclude rules".

jfrog.com/blog/yet-another-cas
twitter.com/wesleytodd/status/

Also it didn't impact purely open source developers, and it turns out, most package manager authors are exactly that.

Show thread
Show more
Anarchism Space

The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!