Pavel Dobryakov has built a nifty little fluid dynamics simulator in WebGl that runs in any modern browser, including on mobile devices. You can drag around on the screen with your mouse or finger and produce colorful swirling patterns like these:
iOS and Android apps are also available. (via @EdwardDixon3)
Tags: Pavel Dobryakov
My power supply died the other month and I was gonna do The Big Upgrade. And then I didn’t because it would have been Too Much Money.
This seems like a pretty neat site.
It’s basically a programming practice site. You choose what language you want to learn/improve. They give you exercises to practice.
But this site also has mentors that can give you feedback on your solutions. So, you’re not just submitting solutions that work, but you’re getting feedback on how good your solution from folks who already know the language well.
I’ve decided I’m just going to learn as many new languages as I can. I’m doing new exercises during my lunch hour now.
Also, it’s free. Which is awesome.
Today at GitHub’s Satellite developer conference, GitHub announced a number of new features. If you are a GitLab user, here is a quick cheat sheet of what GitHub announced today and how that relates to GitLab features that already exist or are on the public GitLab direction page.
| What GitHub announced on May 23, 2019 | Similar & related GitLab features |
|---|---|
| Enhanced security vulnerability alerts |
Group Security Dashboard Project Security Dashboard SAST DAST Container Scanning |
| Automated MRs for dependency vulnerabilities (Dependabot acquisition) |
Vulnerability Remediation Merge Request |
| Dependency Insights | Dependency List (planned for 12.0) |
| Token Scanning | Secrets Detection |
| Maintainer Security Advisories |
Confidential Issues Private MRs (planned) Vulnerabilities as First Class Elements (in planning – please contribute!) |
| Security Policy | Good idea! |
| Enterprise Accounts | Group Level Management |
| New Roles & Permissions | Permissions |
| Team Synchronization | LDAP Group Sync |
| Internal Repositories | Internal Projects |
| Organization Insights |
Contribution Analytics Cycle Analytics |
| Audit Log API | Audit Events |
| Git Data Encryption at Rest | Yes, for GitLab.com |
| Draft Pull Requests | WIP for Merge Requests |
| Statuses | Set Status |
Finally, as GitLab is an open source project itself, and we are contributors to many other open source projects hosted on GitHub, we are excited to see that GitHub is looking for ways to make open source projects more secure and better funded, through GitHub Sponsors and the GitHub Sponsors Matching Fund. Nice job, GitHub!
It turns out that the fourth track off of Philip Glass’ soundtrack for Koyaanisqatsi matches up pretty well to the dancers in this clip from Soul Train.
I don’t know whether to like this or hate it. Actually, I think I love it. See also Soul Train dancers backed by Daft Punk. (via @tedgioia)
Tags: Koyaanisqatsi movies music Philip Glass remix Soul Train video
Liberty Crumbling is sand sculptor Damon Langlois’ version of the statue of Abraham Lincoln at the Lincoln Memorial, which won first prize at 2019 Texas SandFest. (via colossal)
Tags: Abraham Lincoln art Damon LangloisLooks great. I can’t wait.
It almost looks like it could be a sequel to Gotham.
Todd Haselton and Megan Graham, writing for CNBC:
Google says it doesn’t use your Gmail to show you ads and promises it “does not sell your personal information, which includes your Gmail and Google Account information,” and does “not share your personal information with advertisers, unless you have asked us to.”
But, for reasons that still aren’t clear, it’s pulling that information out of your Gmail and dumping it into a “Purchases” page most people don’t seem to know exists. Even if it’s not being used for ads, there’s no clear reason why Google would need to track years of purchases and make it hard to delete that information. Google says it’s looking into simplifying its settings to make them easier to control, however.
I’m sure they’ll get right on that.
Yoshi Egg Lamp – Let’s set the scene. You’re a mustachioed plumber. A wayward Yoshi has laid an egg in your house, and it’s glowing. If you eat mushrooms, you get taller.
Wait, hang on. A Yoshi egg in your house? And it’s glowing? Man, that’s sick. If only it was real.
Wait – again! It is real. And it’s USB powered!
This life-size replica of a big ol’ Yoshi egg provides the perfect ambience for a long night of playing your favorite Ninety titles. If only it hatched, then you’d have something to sit on as well…
The post Yoshi Egg Lamp appeared first on Shut Up And Take My Money.
Frans Blok has created an incredibly detailed inverse map of the world, where all the current landmasses have been turned into water and oceans, lakes, and rivers converted into land.
Not only the coast lines are reversed in this world. Also, the relief is consistently the opposite of reality. So the deepest parts of the oceans are in the Tibetan and Himalayan troughs in the southern part of the Asian Ocean. And the highest peaks, around eleven kilometer, are found in the Mariana Mountains in the west of the continent Pacifica.
Prints of Blok’s map are available here.
See also Vladislav Gerasimov’s inverted world map.
Oh my, this medieval town generator tool is super fun to play around with. By adjusting parameters like size, color palette, building styles, and which features to include (rivers, coastline, temples), you can make a random ichnographic map of a medieval town or city.
Toy Town is a related tool by the same person that allows you to move through a 3D visualization of a medieval town, a la Minecraft. (Unfortunately, you can’t generate a map in the 2D tool and then fly through it in the 3D tool.)
See also Auto-Generated Maps of Fantasy Worlds. (thx, ann)
Update: See also the Fantasy Map Generator. (via @mattg)
Tags: mapsMost of this map (from Brilliant Maps) has nothing to do with language, but the few bits that do are funny enough I thought I’d post them here:
Bulgaria: Still use the Russian alphabet?
Portugal: Do you speak Brazilian right?
Turkey: Can you translate this Arabic sentence?
And yes, it’s odd they include Turkey but not Russia in “Europe.” Via Des Small at Facebook; he says “There’s nothing for Danmark, sadly, but perhaps that’s part of the joke. (There’s no need to make fun of Belgium, obviously.)”
Today, Atlassian Bitbucket, GitHub, and GitLab are issuing a joint blog post, in a coordinated effort to help educate and inform users of the three platforms on secure best practices relating to the recent Git ransomware incident. Though there is no evidence Atlassian Bitbucket, GitHub, or GitLab products were compromised in any way, we believe it’s important to help the software development community better understand and collectively take steps to protect against this threat.
On Thursday, May 2, the security teams of Atlassian Bitbucket, GitHub, and GitLab learned of a series of user account compromises across all three platforms. These account compromises resulted in a number of public and private repositories being held for ransom by an unknown actor. Each of the teams investigated and assessed that all account compromises were the result of unintentional user credential leakage by users or other third parties, likely on systems external to Bitbucket, GitHub, or GitLab.
The security and support teams of all three companies have taken and continue to take steps to notify, protect, and help affected users recover from these events. Further, the security teams of all three companies are also collaborating closely to further investigate these events in the interest of the greater Git community. At this time, we are confident that we understand how the account compromises and subsequent ransom events were conducted. This coordinated blog post will outline the details of the ransom event, provide additional information on how our organizations protect users, and arm users with information on recovering from this event and preventing others.
On the evening of May 2 (UTC), all three companies began responding to reports that user repositories, both public and private, were being wiped and replaced with a single file containing the following ransom note:
To recover your lost data and avoid leaking it: Send us 0.1 Bitcoin (BTC) to our Bitcoin address 1ES14c7qLb5CYhLMUekctxLgc1FV2Ti9DA and contact us by Email at admin@gitsbackup.com with your Git login and a Proof of Payment. If you are unsure if we have your data, contact us and we will send you a proof. Your code is downloaded and backed up on our servers. If we dont receive your payment in the next 10 Days, we will make your code public or use them otherwise.
Through immediate independent investigations, all three companies observed that user accounts were compromised using legitimate credentials including passwords, app passwords, API keys, and personal access tokens. Subsequently, the bad actor performed command line Git pushes to repositories accessible to these accounts at very high rates, indicating automated methods. These pushes overwrote the repository contents with the ransom note above and erased the commit history of the remote repository. Incident responders from each of the three companies began collaborating to protect users, share intelligence, and identify the source of the activity. All three companies notified the affected users and temporarily suspended or reset those accounts in order to prevent further malicious activity.
During the course of the investigation, we identified a third-party credential dump being hosted by the same hosting provider where the account compromise activity had originated. That credential dump comprised roughly one third of the accounts affected by the ransom campaign. All three companies acted to invalidate the credentials contained in that public dump.
Further investigation showed that continuous scanning for publicly exposed .git/config and other environment files has been and continues to be conducted by the same IP address that conducted the account compromises, as recently as May 10. These files can contain sensitive credentials and personal access tokens if care is not taken to prevent their inclusion, and they should not be publicly accessible in repositories or on web servers. This problem is not a new one. More information on the .git directory and the .git/config file is available here and here. Additional IPs residing on the same hosting provider are also exhibiting similar scanning behavior. We are confident that this activity is the source of at least a portion of the compromised credentials.
Known ransom activity ceased on May 2. All known affected users have had credentials reset or revoked, and all known affected users have been notified by all three companies.
Enable multi-factor authentication on your software development platform of choice.
Use strong and unique passwords for every service. Strong and unique passwords prevent credential reuse if a third party experiences a breach and leaks credentials. Use a password manager (if approved by your organization) to make this easier!
Understand the risks associated with the use of personal access tokens.
Personal access tokens, used via Git or the API, circumvent multi-factor authentication.
Tokens have may have read/write access to repositories depending on scope and should be treated like passwords.
If you enter your token into the clone URL when cloning or adding a remote, Git writes it to your .git/config file in plain text, which may carry a security risk if the .git/config file is publicly exposed.
When working with the API, use tokens as environment variables instead of hardcoding them into your programs.
Do not expose .git directories and .git/config files containing credentials or tokens in public repositories or on web servers.
Information on securing .git/config files on popular web servers is available here.
If you have a full, current copy of the repository on your computer, you can force push to the current HEAD of your local copy using:
git push origin HEAD:master --force.
Otherwise, you can still clone the repository and make use of:
git reflog or
git fsck to find your last commit and change the HEAD.
Additional assistance on Git usage is available in the following resources:
Should you require additional assistance recovering your repository contents, please refer to the following:
All three platforms provide robust multi-factor authentication options:
Bitbucket provides the ability for admins to require two-factor authentication (2FA) and the ability to restrict access to users on certain IP addresses (IP Whitelisting) on their Premium plan.
GitHub provides token scanning to notify a variety of service providers if secrets are published to public GitHub repositories. GitHub also provides extensive guidance on preventing unauthorized account access. We encourage all users to enable two-factor authentication.
GitLab provides secrets detection in 11.9 as part of the SAST functionality. We also encourage users to enable 2FA here, and set up SSH keys.
Thanks to the security and support teams of Atlassian Bitbucket, GitHub, and GitLab, including the following individuals for their contributions to this investigation and blog post: Mark Adams, Ethan Dodge, Sean McLucas, Elisabeth Nagy, Gary Sackett, Andrew Wurster (Atlassian Bitbucket); Matt Anderson, Howard Draper, Jay Swan, John Swanson (GitHub); Paul Harrison, Anthony Saba, Jan Urbanc, Kathy Wang (GitLab).
