Web Excursions 2021-10-09

20 Things I've Learned in My 20 Years as a Software Engineer by simplethread.com

  • The hardest part of software is building the right thing

    • Designing software is mostly a listening activity, and

    • we often have to be part software engineer, part psychic, and part anthropologist.

    • Investing in this design process, whether through dedicated UX team members or by simply educating yourself, will deliver enormous dividends.

  • The best code is no code, or code you don’t have to maintain

    • If you don’t have a good grasp of the universe of what’s possible, you can’t design a good system

  • Every system eventually sucks, get over it

    • Worry less about elegance and perfection;

    • instead strive for continuous improvement

    • and creating a livable system that your team enjoys working in and sustainably delivers value.

  • People don’t really want innovation

    • If you truly innovate, and change the way that people have to do things, expect mostly negative feedback.

    • If you believe in what you’re doing, and know it will really improve things, then brace yourself for a long battle.

  • Your data is the most important part of your system

    • Dealing with this data in the future can become a nightmare.

    • Just remember, your data will likely long outlive your codebase.

    • Spend energy keeping it orderly and clean, it’ll pay off well in the long run.

  • Look for technological sharks

    • Old technologies that have stuck around are sharks, not dinosaurs.

    • They solve problems so well that they have survived the rapid changes that occur constantly in the technology world.

  • Don’t mistake humility for ignorance

    • Never assume that just because someone isn’t throwing their opinions in your face that they don’t have anything to add.

  • Software engineers, like all humans, need to feel ownership

    • If you divorce someone from the output of their work, they will care less about their work.


How Safari 15 Checks a Secure Connection by eclecticlight.co

  • Safari uses machine learning to determine whether sites are likely to be part of a phishing attack,

    • a result which is reported in the log [in the form of]
      0.697267 MLPhishing Safari SafariSharedUI Classified URL <private> as LikelyNotPhishing

  • macOS uses an open source derivative of OpenSSL named BoringSSL to handle its TLS connections.

  • [ In a strange case the author found himself in, ]

    • The certificate information provided by Safari on that Mac showed it was the intermediate certificate which had already expired, a day before the Root did.

    • However, as [the author] recorded, connecting to exactly same site using Safari 15 on Monterey beta resulted in success,

      • with the certificate information reporting the updated certificates, neither of which had expired.

  • As far as I can see, the only explanation

    • is that the Big Sur system obtained its intermediate and root certificate information locally,

    • from a cache or database which hadn’t been updated for the new certificates,

    • while the Monterey system obtained fresh certificate information which did reflect the changes.


Cloudflare Doesn’t Have to Cut Off Copyright-Infringing Websites, Judge Rules by arstechnica.com

  • Cloudflare was sued in November 2018

    • by Mon Cheri Bridals and Maggie Sottero Designs,

    • two wedding dress manufacturers and sellers

    • that alleged Cloudflare was guilty of contributory copyright infringement

    • because it didn't terminate services for websites that infringed on the dressmakers' copyrighted designs

  • The lawsuit said the Cloudflare terms say that

    • any violation of law justifies termination of service and that

    • "CloudFlare's policy is to investigate violations of these terms of service and terminate repeat infringers."

    • The plaintiffs sent Cloudflare thousands of takedown notices,

      • and often up to four notices about the same infringing sites,

      • but "Cloudflare has ignored these notices and takes no action after being notified of infringing content on its clients' websites.

  • [The Judge wasn't convinced, wrote in the decision that the] plaintiffs did not prove

    • that the faster website-load times enabled by Cloudflare "would be likely to lead to significantly more infringement."

    • Additionally, Cloudflare removing infringing material from its cache would not prevent users from seeing the copyrighted images. "

  • The plaintiffs also tried to prove contributory infringement by pointing to Cloudflare security services that detect suspicious traffic and prevent attacks on a website's host.

    • The judge dismissed this argument


Twitch’s Security Problems Started Long Before This Week’s Hack by theverge.com

  • The Verge has spoken to multiple sources who claim that

    • during their time at Twitch, the company valued speed and profit over the safety of its users and security of its data.

  • In August, hate raids

    • in which marginalized streamers were subjected to uncontrollable numbers of bots spamming hate speech

    • erupted across Twitch.

  • [There was a] unreported security problem occurred in 2017, according to the source, and opened up the platform to new risks.

  • Twitch uses a lot of third-party services that Amazon has traditionally avoided.

    • Twitch was on Slack before Amazon eventually adopted it,

    • has struggled to perform effective audits on the software and tools it has been using in the past.

  • The same source claims they were also being asked to “approve and review documents” months after they had left Twitch.


It’s Time to Stop Paying for a VPN by nytimes.com

  • The reality is that web security has improved so much in the last few years that VPN services,

    • which charge monthly subscription fees that cost as much Netflix,

    • offer superfluous protection for most people concerned about privacy

  • Many of the most popular VPN services are now also less trustworthy than in the past

    • because they have been bought by larger companies with shady track records.

  • For several years, I subscribed to a popular VPN service called Private Internet Access.

    • In 2019, I saw the news that the service had been acquired by Kape Technologies, a security firm in London.

    • Kape was previously named Crossrider,

      • a company that had been called out by researchers at Google and the University of California for developing malware.

  • In the last five years, Kape has also bought several other popular VPN services,

    • including CyberGhost VPN, Zenmate and, just last month, ExpressVPN in a $936 million deal.

    • This year, Kape additionally bought a group of VPN review sites that give top ratings to the VPN services it owns.


Explainer: caching – The Eclectic Light Company

  • In general, a buffer provides temporary storage, like a reservoir, which copes with transfers in which one or more steps are significantly slower than others.

    • A buffer is normally fairly simple to manage as a ‘first in, first out’ queue.

  • Caches are normally more complex, and don’t just act as simple reservoirs, but provide fast-access local storage which can save having to wait to access data over a slower connection.

  • macOS tends to hide its caches away to discourage users and software from tampering with them.

    • A peek in one of the more obvious locations ~/Library/Caches

      • will probably reveal several GB of cache files, many of which the client apps are blissfully unaware of.

    • Another favourite location for caches is in /var/folders,

      • stored on the Data volume,

      • where opaquely named folders are full of mysterious files, amounting to another several GB of unknown data.