Rolandt

Read UK investment in NL since 2016 on the rise, NL investment in UK in decline (Centraal Bureau voor de Statistiek)

De stroom aan Britse investeringen die jaarlijks Nederland binnenkomen zijn sinds het Brexit-referendum in 2016 aanzienlijk toegenomen. Van 14 miljard in 2016 naar meer dan een verdubbeling in 2017 tot 80 miljard in 2018.

The much sought after ‘Brexit Dividend’ according to the Dutch national statistics office CBS is working out a bit different than expected by some it seems.

Dutch investment per year in the UK since the referendum by internationally operating companies (those creating subsidiaries in another country), went from 50 billion Euro in 2016 (then representing 182.000 UK jobs), to 35 billion in 2017, to minus 11 billion in 2018. So it dropped 30% in the first year after the referendum and then turned to actual des-investment last year. Vice versa it is the other way around. UK investment into the Netherlands (again, what’s looked at here is companies creating subsidiaries in another country) was 14 billion Euro in 2016, grew to 35 billion Euro in 2017, and then jumped to 80 billion Euro in 2018.

Source Dutch National Bank, image Dutch Statistics Office

A recent client wanted dozens of people to run small groups of 50 to 75 people in different territories around the world.

They had identified 50 possible leaders and invited each of them to form a Slack group.

It’s a neat solution, the main channel kept all the leaders connected and members could then find the right sub-channel for them.

Alas, the neatest solution is rarely the best solution. A handful of people gave it a shot but they soon lost interest.

It’s very hard to attract and retain active leaders if you’re trying to exert control over what technology they use, how they manage the community, and how they can engage the audience. Neatness and autonomy don’t play well together.

More importantly, the people you want to run groups (especially local groups) know far better than you what’s likely to work, what technology their audience will respond to, and how to run the groups. You can equip them with knowledge, but you can’t exert control.

We took a different approach. First, we encouraged leaders to use whichever tools they felt would work best. Next, we began asking how we can support them instead of asking them to support us. A handful said they didn’t need any support, a few asked for promotion, and a couple wanted some advice to keep members engaged.

It’s still early days, but there are now 20+ active groups (instead of just 3 before) and the relationship with each leader is far less strained. It’s not a neat solution, but each leader has far more autonomy and receives exactly the support they need.

P.S. Speaking at Khoros Engage in Austin this week. Tickets available here.

Just to elaborate one point. In the file managers I've seen, the "tree" pane shows only the hierarchy of folders - files are NOT shown in the tree. With my idea, files would also be shown in the tree. And moving the files would be a matter done by Ctrl+arrow keys in the hierarchy to the new desired location under and to the right of the parent folder. Also, now that I think of it, when such a move is completed, the user would have to be prompted to select whether the operation is a Move or a Copy.

Data orientation allows freedom of movement between layers of meaning. Each interpretation adds a layer of meaning. If the data were hidden, we would not be able to freely interpret it how we want. In this episode, we explore an example of what it means to move up and down the layers of meaning.

Transcript

Eric Normand: What is the benefit of data orientation? In the last episode, I went over what data orientation is. Now, we’re going to be talking about its benefits.

By the end of this episode, I think you should have a really good idea of why data orientation is useful as a programming paradigm, programming style process. I don’t know what it is. My name is Eric Normand, and I help people thrive with functional programming.

Data orientation — just a quick recap — means programming with data. I’m going to amend it a little bit, and I am going to say at all levels.

I’m going to cut to the chase. The benefit is freedom. It’s freedom to work at the level you want to work at, the level of meaning.

What do I mean by level of meaning? Let’s imagine we have some JSON. It’s a map. It’s got some string keys and some string values. Some of the values are maps as well. There’s arrays in there with some numbers. It’s a JSON.

Now, let’s go down a layer of meaning. Down like, let’s un-interpret this. We’re going down a layer of meaning.

At a lower level, this is just characters. We took some characters, and we parsed them into JSON.

JSON is really like a syntax for how you represent maps, arrays, and strings, etc. It’s a syntax. It’s really characters one level down. Characters, if you go down another level, are a sequence of bytes.

That those bytes require interpretation to turn them into characters. Then the characters require interpretation to turn them into JSON. These are the levels I’m talking about, the levels of meaning.

We’re back at JSON. If we interpret again, we go up another level. We look into the JSON. We see it has information that makes it pretty clear that this is an HTTP request.

It has a URI. It has a server, host. It’s got a request method, stuff like that. It’s an HTTP request.

Let’s take this HTTP request. It’s still JSON. Let’s take this HTTP request, and let’s interpret it. Go up a level.

The way you usually do when you interpret an HTTP request, one thing you can do is you can route. You can look at the path and figure out like, “What is this HTTP request supposed to do?”

We see that it is an update to the user settings. The users have settings in our system, and this is a post to /user/settings. We can interpret this and say, “Wow, this is a request to update the user settings.”

Now, if we look, if we interpret it again, we’re going up another level of meaning. We’re going to see that you look in the body, and it’s a set password. This is trying to change the password of this user. Let’s stop there.

We got all these levels. I’m going to count them. One, two, three, four, five, six. We’ve got over six layers of meaning here.

This is the benefit of data orientation that you can move freely. You have the freedom to move up and down the layers.

I’m interpreting. I’m going, again, adding meaning. I’m adding meaning. I’m adding meaning. Then I can go back down.

Even if I’m at the highest level we got to, which is, “This is a request to set the user’s password,” I could still take that and go back down to bytes. I could take it and serialize it over the network. This is a freedom that we have.

If you were hiding the data, you wouldn’t have that freedom. You don’t know how to go. You’d have to invent in the whole API to move along these levels, these layers of meaning. This is the benefit — the freedom of moving up and down. This is going to be a quick episode.

Let me recap. Data orientation means programming with data at all levels of meaning. The benefit is freedom, because you’re working with data at all levels — moving up and down, interpreting, even going down as a kind of interpretation.

If you say, “I’ve got this update user settings request,” now let me treat it again like an HTTP request and get this header out of it. Or let me treat it, again, like JSON and I’m going to just get the keys from it, which is something you can do with JSON, with a map. You can get the keys.

I want to note also that some of these interpretation levels had a change of type. When we went from byte stream or byte array to string or character array, that was a change of type. Then when we went from characters, we parsed those, and we turned it into JSON. That was a change of type.

Then some didn’t have a change of type. When we went from JSON to HTTP request, it was still JSON. We didn’t put in a new type. It’s the same type.

We didn’t change it. Now, we’re going to get to the details of this in the next episode, but just note that.

Let’s recap. We had six levels of meaning there, and we were able to move up and down between them. At any point, we can treat it like JSON and serialize it to a string.

Then take that string, send it over the network. It’s going to get turned into bytes, into packets. There’s another kind of interpretation you’ve got there.

In the next episode, we’re still talking about data orientation, but I really want to answer this question of types and whether you can use types with data orientation.

If you like this episode, you should subscribe. You should go to lispcast.com/podcast. You will find links to subscribe, also to get in touch with me on social media. You’ll also find all of the past episodes, including audio, video, and text transcripts of all of them.

You can subscribe however you want. If you want the videos, you can subscribe on YouTube. If you want the audio, you can subscribe in iTunes or whatever podcast player you use. Or you can get the RSS for the text if you like it that way.

This has been my thought on functional programming. I’m Eric Normand. Thanks for listening and rock on.

The post What is the benefit of data orientation? appeared first on LispCast.

Dieses Wochenende habe ich die Arlo-Installation um zwei Arlo Pro 2 aufgerüstet. Das System hat sich bewährt und erhält nun ein signifikantes Update.

Ich habe Arlo vor Jahren über einen Nachbarn kennen gelernt, einige Jahre, nachdem ich den Faden mit Netgear verloren hatte. Agenturen wechseln, Mitarbeiter sind plötzlich woanders. So passiert das. Und Arlo war für mich eine echte Entdeckung. Das System hat ein paar Besonderheiten, die es für einen ganz speziellen Anwendungsfall interessant machen, für viele andere aber nicht.

Diese Arlo Wireless sind batteriebetrieben und sollten keinesfalls dauernd aufzeichnen, sondern solange schlummern, bis es einen Event gibt. Und den entdecken sie entweder über den eingebauten Bewegungssensor oder (bei den Pro-Modellen) das Mikrofon. Man stellt einen Trigger ein, die Kamera beginnt aufzuzeichen und schickt einen Alert. Damit das reibungslos funktioniert, haben die Arlos eine eigene Basisstation, welche die Kameras von dem ganzen Netzwerktraffic des WLANs isoliert. An der Basisstation der Pro kann man ein USB-Speichermedium anstecken und dort Videos aufbewahren, so lange man will. Ist das Medium voll, werden alte Videos automatisch gelöscht.

Das ist aber nicht der eigentliche Einsatzzweck. Die Kameras streamen das Video über die Basis in die Cloud, wo sie eine Woche lang aufbewahrt werden. Und das ist bei Kunden aller HD- und Pro-Modelle bereits im Preis eingeschlossen, so lange sie bis zu fünf Kameras betreiben. Bei den neueren Ultra-Modellen muss man dagegen nach einem Jahr einen Service-Vertrag abschließen. Es gibt zwei wesentliche Unterschiede zwischen allen Arlo-Modellen: Stromversorgung und Auflösung. Die HD macht 720p, die Pro ebenfalls, die Pro 2 kommt auf 1080p und die Ultra gar auf 4k. Arlo HD wird mit CR123-Batterien versorgt, die anderen haben aufladbare Akkus. Einzeln sind die CR123 exorbitant teuer, man kann aber Packungen mit 20 Batterien kaufen und kommt dann auf einen Euro, so meine letzte Lieferung. Der Bewegungssensor der Pro ist wesentlich sensibler als der von der HD. Außerdem ist die Optik weitwinkliger. Es geht einfach mehr drauf.

Ich hatte bisher vier Kameras in Betrieb: eine Pro und drei HD. Zwei dieser HDs werden nun anders verwendet und durch Pro 2 ersetzt. Eine verschenke ich mit der alten Basis an einen Nachbarn, die andere ist vorübergehend einfach eine Tierbeobachtungskamera, mindestens bis die Batterien leer sind. Bei der Pro habe ich ein anderes Nutzungsverhalten entdeckt. Weil ich nicht so sehr auf Stromsparen erpicht war, habe ich sie viel mehr Events aufzeichnen lassen, aber dabei auf die Alerts verzichtet. Man kann sich da beliebig austoben. Mit den Pros überwache ich nun dauerhaft Vor- und Rückseite des Hauses sowie den Eingang.

Damit man keine Nachbarn nervt, und auch damit die Kameras nicht dauernd aufwachen, installiert man sie so, dass sie auf das Haus zeigen und nicht von ihm weg. Dabei lassen sich diese Kameras wunderbar durch alles mögliche Zubehör tarnen. Man sieht sie einfach nicht. Da sie keine Kabel benötigen, kann man da sehr kreativ vorgehen. Idealerweise lösen sie nie aus, es sei denn, ein böser Bube schleicht um das Haus. Ideal ist auch der Einsatz auf dem obersten Absatz eines Mietshauses. Da wird gerne eingebrochen, da sollte aber niemals jemand sein, außer dem Mieter. Und da man keine Kabel verlegen muss, lässt sich das rückstandsfrei auch wieder zurückbauen.

• Arlo Pro 2 mit zwei Kameras, aktuell 430 statt 620 Euro
• Arlo Pro mit zwei Kameras, aktuell 340 statt 570 Euro
• Arlo HD mit zwei Kameras, aktuell 240 statt 370 Euro

Das sind nur Beispielkonfigurationen. Es gibt jede Menge Variationen mit mehr Kameras, ohne Basis zum Aufrüsten, mit LTE-Verbindung für den Einsatz weit weg, als Babyfon, mit Kabelverbindung etc.

Alle Arlo Pro unterstützen bereits Apple HomeKit, die anderen noch nicht. Dabei kann man seine Kameras in der Home App sehen. Was bisher fehlt, ist die Umschaltung der Modi zwischen Anwesend und Abwesend. Das kommt bestimmt noch. Aktuell nicht geplant ist die Speicherung von Videos bei Apple, wahrscheinlich, weil Arlo da drauf einige Services anbietet, die sie mit Apple nicht machen können.

Wichtig erscheint mir, dass man diese Cloud-Aufzeichnung als Service begreift und nicht als Sicherheitsproblem. Wer alles sowieso zu Hause auf sein NAS speichern will, der kann ganz anders und billiger basteln. Ich habe keine Arlos im Haus. Alles, was die Arlos sehen, kann auch jeder andere sehen, wenn er über die Hecke schaut. Der Witz ist für mich, dass den Kameras nichts entgeht, wenn ich schlafe, nicht da bin oder einfach woanders hin gucke. Und das machen sie perfekt.

For The Washington Post, Sergio Peçanha and Tim Wallace use maps to show why we need to adjust the common view of the Amazon up in flames. It’s about the fires on the fringes.

Tags: Amazon, fire, Washington Post

There was one research project that worked exactly like what you're describing. It was called Project Planner... scroll down for more info here: https://kftf.ischool.washington.edu/projectdetail.htm#p_planner I'm not sure if it's still available for download, what the status is, or what the relationship is with another related research project called "Planz".

This has been in the cards for so long and there has been so much (often uninformed) discussion I’m actually surprised the FAQ has an entry titled “I didn’t hear anything about this till just now.”

I switched all my projects to Python 3 gradually (targeting 3.5, a little over a year ago), and it’s been truly painless. Having used it since 1.2, I can appreciate how far it’s come and how things have changed since (literally) the turn of the century.

It’s still my go-to programming language, and I’m looking forward to PyPy and Cython improvements in ARM - it will never be the fastest language on the planet (I look to plain C, Go and Java for that), but its ecosystem still gives me the most bang for the buck with the least hassle, and that, I think, is the real reason why it’s been so successful over the years.

We live in a time where simple solutions to problems are often overlooked for technological answers. It’s no surprise given that many people perceive technology as helpful, and in many instances it is. But it’s always important to figure out what the problem is that a technological answer seeks to solve.

Take a look at this installation at a traffic intersection in Singapore that allows a senior citizen (who has the requisite senior citizen’s card) to “swipe” the pedestrian crossing button to get up to thirteen seconds extra crossing time on a busy street. The “Green Man Plus” system was introduced in 2009 for seniors and “those with disabilities” to be allowed extra crossing time. As ABC reporter Stephen Dziedzic stated on Twitter

“At some Singapore intersections you can swipe your Senior Card and the crossing light will stay green for a little longer, giving you extra time to reach the other side of the road. I find this very touching.”

 

While the Twitterverse thought this was indeed a very good idea to enhance equity, the question really is who is equal here? And instead of installing hundreds of these pedestrian installations that require a card to activate them, why not increase the crossing time on the timing of the light cycle in favour of all pedestrians, no matter who they are or when they are crossing? If people using the sidewalks and crosswalks are truly the most valued and most vulnerable users, why not treat them that way, and allow everyone a longer crossing time without a card to ask permission?

Locally, another example of technological invention also focuses on the wrong end of the problem.

The Richmond News reported on the award winning innovative design developed by Philip Siwek that is much in the same category. Mr. Siwek has developed “an innovative cycling jacket that lets self-driving cars detect cyclists on the road” which is an “emerging problem” as autonomous vehicles become more prevalent. You will be surprised at how it works- “by having barcodes placed on the jacket that are scanned by vehicles, thus lessening the risk of accidents involving self-driving cars and cyclists.” 

The actual jacket has “ integrated machine-readable retro-reflective bar codes that are detectable to AV camera sensors in situations where visibility and correct identification would normally be hindered: at night and in heavy rain, fog or snow.” 

But wait a minute~despite this genius invention, the fact that autonomous vehicles cannot “read” cyclists should not be a problem that cyclists need to correct but one that vehicular manufacturers need to figure out. It of course also calls for better road design and protected cycling facilities which should be done anyway to encourage cycling. And what happens to pedestrians and anyone using the sidewalks or intersections in inclement weather? Do they borrow a barcode to cross the street?

The YouTube video below is from the Singapore Land Transport Authority on how to use the Green Man Plus system for those extra few crossing seconds.

 Image: Philipsiwek.com

 

Hi Jim,

Would a combination of macOS-like Finder (Miller columns file explorer) + the ability to also see files in the folder tree be good for you ?

https://www.youtube.com/watch?v=WHwX25AO4uk

Pierre
IQ Designer
http://www.infoqube.biz

Mother Jones is posing the ultimate question for a publication: What words should you capitalize in a headline? I certainly know where I stand. There are four methods to decide which words get capitalized in headings: Sentence case: Capitalize only the first word, like a sentence. This is now the standard at the Washington Post, … Continued

The post In praise of sentence case for headlines appeared first on without bullshit.

A new phase has started in how we think and write about climate change.  Extinction Lit: considering its inevitability, and what that means.   

Here’s a current example from the venerable New Yorker, by novelist Jonathan Franzen:

 

If you care about the planet, and about the people and animals who live on it, there are two ways to think about this. You can keep on hoping that catastrophe is preventable, and feel ever more frustrated or enraged by the world’s inaction. Or you can accept that disaster is coming, and begin to rethink what it means to have hope. …

Call me a pessimist or call me a humanist, but I don’t see human nature fundamentally changing anytime soon. I can run ten thousand scenarios through my model, and in not one of them do I see the two-degree target being met. …

… a false hope of salvation can be actively harmful. If you persist in believing that catastrophe can be averted, you commit yourself to tackling a problem so immense that it needs to be everyone’s overriding priority forever. One result, weirdly, is a kind of complacency: by voting for green candidates, riding a bicycle to work, avoiding air travel, you might feel that you’ve done everything you can for the only thing worth doing. Whereas, if you accept the reality that the planet will soon overheat to the point of threatening civilization, there’s a whole lot more you should be doing.

And then there’s the matter of hope. If your hope for the future depends on a wildly optimistic scenario, what will you do ten years from now, when the scenario becomes unworkable even in theory? Give up on the planet entirely? To borrow from the advice of financial planners, I might suggest a more balanced portfolio of hopes, some of them longer-term, most of them shorter. …

Any good thing you do now is arguably a hedge against the hotter future, but the really meaningful thing is that it’s good today. As long as you have something to love, you have something to hope for. …

 

Much more here.

mkalus shared this story from ottocrat on Twitter.

---

mkalus shared this story from mrjamesob on Twitter.

---

When Hurricane Juan struck Prince Edward Island in 2003, our neighbourhood, while not devastated, was certainly affected: huge trees came down, power was out for several days, and there was a lot of cleaning up to do. Including, the morning after, helping to run a provincial general election, and, the day after that, holding Oliver’s 3rd birthday party.

Hurricane Dorian passed over the Island on Saturday, and, if you are following the news at all, you will see that there were significant impacts: power (still) out to a large swath of the population, barns and boats destroyed, campgrounds flooded, huge trees down.

At 100 Prince Street, though, it was almost like nothing happened: we lost power for 2 hours on Saturday afternoon, which was enough time for a good nap. The power came back on in time to let me make supper, and has been back on ever since. There was a single small branch down in the back yard, and an uptick in the number of leaves down. But that was it.

We’ve had a lot on our plate this September, so I thank the fates for sparing us the additional challenges of storm recovery. And thoughts go out to Islanders, and others in Dorian’s wake, not so-spared.

Last week, I wrote about the importance of properly handling user input in our websites and applications. I alluded to an overarching security lesson that I hope to make explicit today: the security of our software, application, and customer data is built from the ground up, long before the product goes live.

The OWASP Top 10 is a comprehensive guide to web application security risks. It is relied upon by technology professionals, corporations, and those interested in cybersecurity or information security. The most recent publication lists Sensitive Data Exposure as the third most critical web application security risk. Here’s how the risk is described:

Many web applications and APIs do not properly protect sensitive data, such as financial, healthcare, and PII. Attackers may steal or modify such weakly protected data to conduct credit card fraud, identity theft, or other crimes. Sensitive data may be compromised without extra protection, such as encryption at rest or in transit, and requires special precautions when exchanged with the browser.

“Sensitive Data Exposure” is a sort of catch-all category for leaked data resulting from many sources, ranging from weak cryptographic algorithms to unenforced encryption. The simplest source of this security risk, however, takes far fewer syllables to describe: people.

The phrase “an ounce of prevention is worth a pound of cure,” applies to medicine as well as secure software development. In the world of the latter, this is referred to as “pushing left,” a rather unintuitive term for establishing security best practices earlier, rather than later, in the software development life cycle (SDLC). Establishing procedures “to the left” of the SDLC can help ensure that the people involved in creating a software product are properly taking care of sensitive data from day one.

Unfortunately, a good amount of security testing often seems to occur much farther to the right side of the SDLC; too late for some security issues, such as sensitive data leakage, to be prevented.

I’m one of the authors contributing to the upcoming OWASP Testing Guide and recently expanded a section on search engine discovery reconnaissance, or what the kids these days call “Google dorking.” This is one method, and arguably the most accessible method, by which a security tester (or black hat hacker) could find exposed sensitive data on the Internet. Here’s an excerpt from that section (currently a work in progress on GitHub, to be released in v5):

Search Operators

A search operator is a special keyword that extends the capabilities of regular search queries, and can help obtain more specific results. They generally take the form of operator:query. Here are some commonly supported search operators:

• site: will limit the search to the provided URL.
• inurl: will only return results that include the keyword in the URL.
• intitle: will only return results that have the keyword in the page title.
• intext: or inbody: will only search for the keyword in the body of pages.
• filetype: will match only a specific filetype, i.e. png, or php.

For example, to find the web content of owasp.org as indexed by a typical search engine, the syntax required is:

site:owasp.org

…

Google Hacking, or Dorking

Searching with operators can be a very effective discovery reconnaissance technique when combined with the creativity of the tester. Operators can be chained to effectively discover specific kinds of sensitive files and information. This technique, called Google hacking or Google dorking, is also possible using other search engines, as long as the search operators are supported.

A database of dorks, such as Google Hacking Database, is a useful resource that can help uncover specific information.

Regularly reviewing search engine results can be a fruitful task for security testers. However, when a search for site:myapp.com passwords turns up no results, it may still be a little too early to break for lunch. Here are a couple other places a security tester might like to look for sensitive data exposed in the wild.

Pastebin

The self-declared “#1 paste tool since 2002,” Pastebin allows users to temporarily store any kind of text. It’s mostly used for sharing information with others, or retrieving your own “paste” on another machine, perhaps in another location. Pastebin makes it easy to share large amounts of complicated text, like error logs, source code, configuration files, tokens, api keys… what’s that? Oh, yes, it’s public by default.

Here are some screenshots of a little dorking I did for a public bug bounty program.

API keys in plain view.

Log-in details out in the open.

Thanks in part to the convenience of using Pastebin and similar websites, it would appear that some people fail to think twice before making sensitive data publicly available.

But why?

Granted, non-technical employees with access to the application may not have an understanding of which items should or should not be freely shared. Someone unfamiliar with what encrypted data is or what it looks like may not realize the difference between an encrypted string and an unencrypted token made up of many random letters and numbers. Even technical staff can miss things, make mistakes, or act carelessly after a hard day at work. It may be easy to call this a training problem and move on; however, none of these rationalizations address the root cause of the issue.

When people turn to outside solutions for an issue they face, it’s usually because they haven’t been provided with an equally-appealing internal solution, or are unaware that one exists. Employees using pastes to share or move sensitive data do so because they don’t have an easier, more convenient, and secure internal solution to use instead.

Mitigation

Everyone involved in the creation and maintenance of a web application should be briefed on a few basic things in regards to sensitive data protection:

1. what constitutes sensitive data,
2. the difference between plain text and encrypted data, and
3. how to properly transmit and store sensitive data.

When it comes to third-party services, ensure people are aware that some transmission may not be encrypted, or may be publicly searchable. If there is no system currently in place for safely sharing and storing sensitive data internally, this is a good place to start. The security of application data is in the hands of everyone on the team, from administrative staff to C-level executives. Ensure people have the tools they need to work securely.

Public repositories

Developers are notorious for leaving sensitive information hanging out where it doesn’t belong (yes, I’ve done it too!). Without a strong push-left approach in place for handling tokens, secrets, and keys, these little gems can end up in full public view on sites like GitHub, GitLab, and Bitbucket (to name a few). A 2019 study found that thousands of new, unique secrets are leaked every day on GitHub alone.

GitHub has implemented measures like token scanning, and GitLab 11.9 introduced secret detection. While these tools aim to reduce the chances that a secret might accidentally be committed, to put it bluntly, it’s really not their job. Secret scanning won’t stop developers from committing the data in the first place.

But why?

Without an obvious process in place for managing secrets, developers may tend too much towards their innate sense of just-get-it-done-ness. Sometimes this leads to the expedient but irresponsible practice of storing keys as unencrypted variables within the program, perhaps with the intention of it being temporary. Nonetheless, these variables inevitably fall from front of mind and end up in a commit.

Mitigation

Having a strong push-left culture means ensuring that sensitive data is properly stored and can be securely retrieved long before anyone is ready to make a commit. Tools and strategies for doing so are readily available for those who seek them. Here are some examples of tools that can support a push-left approach:

• Use a management tool to store and control access to keys and secrets, such as Amazon Key Management Service or Microsoft’s Azure Key Vault.
• Make use of encrypted environment variables in CI tools, such as Netlify’s environment variables or virtual environments in GitHub Actions.
• Craft a robust .gitignore file that everyone on the team can contribute to and use.

We also need not rely entirely on the public repository to catch those mistakes that may still slip through. It’s possible to set up Git pre-commit hooks that scan for committed secrets using regular expressions. There are some open-source programs available for this, such as Talisman from ThoughtWorks and git-secrets from AWS Labs.

Pushing left to prevent sensitive data exposure

A little perspective can go a long way in demonstrating why it’s important to begin managing sensitive data even before any sensitive data exists. By establishing security best practices on the left of the SDLC, we give our people the best chance to increase the odds that any future dorking on our software product looks more like this.

Another great resource for checking up on the security of our data is Troy Hunt’s Have I Been Pwned, a service that compares your data (such as your email) to data that has been leaked in previous data breaches.

To learn about more ways we can be proactive with our application security, the OWASP Proactive Controls publication is a great resource. There’s also more about creating a push-left approach to security in the upcoming OWASP Testing Guide. If these topics interest you, I encourage you to read, learn, and contribute so more people will make it harder for sensitive data to be found.

mkalus shared this story from HeleneBismarck on Twitter.

---

The fallout from the Jeffrey Epstein scandal continues to roil. Ethan Zuckerman has left the Media Lab. Joi Ito has resigned in disgrace, Nicholas Negroponte offered a bone-headed defense, Lawrence Lessig has written a bone-headed defense, an official at Brown has been taken down, we probably haven't seen the end of the Steven Pinker connection, and Evgeny Morozov writes, in an argument that I largely agree with, that "the Epstein scandal at MIT shows the moral bankruptcy of techno-elites."

I have written and spoken often of the Harvard-Yale-MIT-Stanford nexus. I've commented on the role of higher education in helping rich people become more rich. I've discussed how the primary rule at things like TED talks is "don't offend corporate elites." I've questioned the motives of foundations like Gates and others. I've certainly questioned the role of Creative Commons in the commodification and commercialization of the stuff we want to share. I didn't know about the seamier side of all this, but hey, it's just what you would expect to go along with wealth and power.

I've worked in the same industry as all these people, often on the same topics - from content syndication to open content to social networking to decentralized networks. But never with these people. This reflects no virtue on my part - there isn't a chance in the world they would ever have me. I'm not money, I'm not Harvard, I'm not connected.

They all know each other, of course, just the same way the people in my own community all know each other. There's a group of people who I would characterize as creating the real change in educational technology, not one of whom has any real connection to the well-funded world of elite universities. We can't compete for fund-raising, for venture capital, for media, not because we're not any better, but because we're not like them.

Now we've learned that being 'like them' means tolerating and even promoting the worst excesses of billionaires. But don't think of this as exceptional. Think of this as business as usual.

Now having said all that I have to ask myself whether I'm any better than them. To be sure, I haven't sold young girls into servitude or anything like that. And when I have found myself in positions that could have become compromising, I have said "no." But I have to admit to having looked with some envy at the well-funded careers of the ed tech stars. And I wonder whether I would have said "no" if, say, Media Lab had asked me to work there. I'd like to think I would have.

After all, I work in a government research lab here in Canada. I take money from whatever government is in power here. I don't think our governments have been involved in any such dealings, but we've had Prime Ministers from different parties who are comfortable with the Davos elite, comfortable with the 'own your own island' set. And contra Lawrence Lessig, I don't think any large sum of money is ethically clean. As I've often said, "great wealth is prima facie evidence of criminality."

Would I have taken money from Microsoft or Apple, had it ever been offered? There's a lot of prestige there, and who cares if they got their start with a little under-the-table phreaking and held their edge with questionable business practices? I could be comfortable with my own ethics while not worrying about those of my funders. Would I have taken Facebook money, were it ever offered? Google's? Blackboard's? Would I have accepted a Davos invitation, or a chance to publish a well-publicized book?

All I would have to do is to accept a few things, say a few things are true, bend a little on some of my core philosophies, turn a blind eye to some others. That wouldn't really be so hard, would it?

How much of a leap is it from being a quiet law-abiding technologist in a small research lab in Ottawa to a well-funded media star at MIT being careful to be quiet about some of the more unsavory aspects of where the money comes from? I think I'm better than that, I want to be better than that. And through my career I've said and done things that pretty much ensured that I'd never be in a position to accept such funding.

Look. I'm glad this thing has blown up on them. I hope the whole lot of them are taken down. They disgust me. But it should have happened a long time ago. But it didn't, and this shows just how tight this nexus is, how close the connections are between billionaires, corporations, government, media, and academia. And they're not going to be taken down by this, not even by this, because there's no end to the supply of people willing to give up just a little in order to work for the rich and the powerful.

But just know, there are things I see every day that sets off this whole chain of thought in my mind. When someone quotes preferentially from the Harvard-Yale-MIT-Stanford nexus, instead of the commoners who actually developed an idea. When some media outlet (and I include you, CBC) focuses on people who publish books, instead of people who blog and share openly. When I read about support for charter schools, educational disruption, direct instruction, and content knowledge over critical thinking. When people tell us people are better and better off, because of rising GDPs. When people tweet TED talks, or worse, promote themselves via TED talks. When people say the people need leaders.

I think my best defense to Epstein-level corruption has been to make myself unattractive to it. But my proximity to the industry has show me how easy it is, and how many entry-level openings there are for the next incumbent. Just begin with a short post highlighting a charter school's innovation, a tech startup founded in a dorm room, a book by a Harvard grad. Follow the invitations from there...

Has there ever been as enthusiastic a guest on the Cool Tools podcast as Susie Bright?

To say nothing of the breadth of her tool recommendation choices: Gingher Craft Scissors, Palomino Blackwing 602 Pencils, the Original Magic Wand and the Heavy Duty Commercial Potato Ricer.

Truly an episode where the deadpan curiosity of co-hosts Kevin Kelly and Mark Frauenfelder provides an excellent canvas on which Bright can paint.

Why Are Books Published on Tuesdays?

(TL;DR nobody knows)

Via Notes from a Small Press.

Sean Marshall @Sean_YYZ
I just wrote about my experience walking around suburban North York where a pedestrian was struck and killed in Jul… twitter.com/i/web/status/1…

Our probably-last Cottage-Life weekend of 2019 featured cetacean encounters and rodent rage. But I didn’t manage to photograph any of that, so just the usual trees and sunsets.

Like this:

Killers!

This morning I was alone at the breakfast table, considering the sea as one does, when I saw them and was yelling “whales!” at the family. There were five killer whales, one an adorable juvenile who put a little hop into every surface-to-breathe. They weren’t in a hurry, stayed for a while.

“Orcas” is more common but I say “killer whales”. Scientists prefer that too, although “orca” has etymological standing, per Wikipedia. A whale specialist told me “orca” was popularized by the marketing group at SeaWorld; they didn’t like having “killer” in their big stars’ names; family values, y’know.

Anyhow, our local killer whale population is in trouble, and that trouble is about to get worse since the Government of Canada has in its wisdom decided to bless the tar-sands pipeline that will run a tanker more or less every day through their home waters. So a random visit is a precious gift, one that might never be repeated.

Here’s today’s only picture with an animal: A feral kid scrambling up a alien-flavored tree construct.

Rodent rage

What happened was, I came up the ramp to the front of the cabin and there, where we have the barbecue and the recycling, was a big chunky raccoon with a beautiful silky coat, bursting with health and vigor, looking for leavings. I thought “Let’s put on a show here and disincent repeat visits” so I yelled “Hey, get outta here” and charged him. He skedaddled to the corner of the cabin and turned left, but had traction problems on the deck so I rounded the corner right behind him. He opened a lead on the dirt trail alongside the cabin and turned left again. I chased him down the path at the cabin’s back but it wasn’t close; he turned left yet again but was out of sight by the time I got to that third turn.

I thought I’d made my point and sauntered back up to the front door — and there was the raccoon again, finishing his foraging. I kind of lost it, shrieking “Gimme a **** break you **** sleazy ****!” and sprinting like a teenager.

Genuine rage makes all the difference. He headed straight sideways into the woods, never looking back. I thought he was running before, but this time he turned on his warp drive, like when they say “Engage!” on Star Trek.

He probably skulked back when we sailed for home this afternoon but we keep the place battened down in absentia. I hope we’ll be less likely to see him on future occasions when we’re in residence.

A recent APK teardown of the Google Camera app version 6.3, discovered by XDA Developers’ senior member ‘cstark27,‘ reveals new information about the Pixel 4.

Reportedly the camera app revealed coding that suggested the phone will sport a ‘zoom-in microphone feature,’ called Audio Zoom. The zoom-in mic is a functionality that some devices already have including the Galaxy Note 10+. The feature helps with microphone issues during video recordings.

The APK also includes ‘Live HDR,’ which may reportedly apply HDR in the camera viewfinder in real-time. Additionally, it can retouch pictures in under 20 milliseconds. That’s if the company ends up using the ‘HDRNet‘ algorithm developed by MIT and Google researchers.

Next up are better wide-angle selfies.  Reportedly the phone will be able to take wide-angle selfies with a functionality called ‘Mesh Warp.’

Mesh Warp will use software to fix wide-angle distortion allowing both the background and foreground to look clear. So even though the Pixel 4 won’t sport two selfie cameras like the Pixel 3 XL, users will still be able to take wide-angle pictures.

The leak also included information about the Pixel 4’s Night Sight enhancements, however, a promotional video of the upcoming handset reveals details about the feature. Users will be able to take pictures of the starry sky with the device’s camera.

Source: XDA Developers 

The post Google Camera teardown reveals ‘audio zoom,’ ‘live HDR’ and more for Pixel 4 appeared first on MobileSyrup.

Apple has quietly started to revamp some of its retail locations with 3D window displays.

Over the past few days, some Twitter users have posted photos of their local Apple Stores undergoing changes. Following this, Mark Gurman, Bloomberg‘s frequent Apple tipster, said Apple is “bringing back the old-school 3D front windows at some stores.”

Reason: It’s because they’re bringing back the old-school 3D front windows at some stores. Here are some old examples. I liked these. https://t.co/IQBbFF0tCn pic.twitter.com/LxhBlTUo65

— Mark Gurman (@markgurman) September 9, 2019

An Apple spokesperson later confirmed to MacRumors that the company is indeed bringing back the front displays.

Over time, Apple moved away from the 3D displays as it updated the designs of its retail locations. However, as leadership has changed, it appears that Apple is looking to bring back some of the old design elements, including the displays.

It remains to be seen if Apple will bring the 3D windows to Canadian locations as well.

Source: iMore

The post Some Apple Stores being updated with 3D window displays appeared first on MobileSyrup.

Volkswagen has taken the first major step towards its electric future with the unveiling of the new ID.3 EV.

The car will be the first electric car built on the company’s MEB platform to hit the market for VW. Unfortunately, Volkswagen originally said it’s only going to be released in Europe, since North America is going to get a crossover style vehicle built on the platform.

Although, the press release didn’t mention any specific launch markets.

Still, the ID.3 is an exciting car that will turn a lot of heads.

First up it’s going to be on sale with three different range options. The base model has a 330 km range, the next step up can travel 420 km, then the final choice has a 550 km range. VW says you can fast charge with compatible charges up to 290 km in just under 30 minutes.

The base model is slated to cost €30,000, (roughly, $43,500 CAD). It’s also slated to have a top speed of 160 km/h

Volkswagen is launching the car with three-tier options which each has more features than the last. You can find out details about it in the company’s press release.

To go along with the ID.3 VW showed off a modern version of its logo that drops the 3D aspects and replaces it with a much cleaner look.

Source: Volkswagen

The post Volkswagen unveils new logo and all-electric ID.3 hatchback appeared first on MobileSyrup.

Bianca Andreescu’s historic win at the U.S. Open broke the record for Bell Media’s sports channels TSN and RDS.

Across the two channels, the match garnered 3.4 million viewers, which means it had a higher average viewership compared the 2019 Stanley Cup final.

Overall, around 7.4 million unique viewers tuned into the match at some point, according to Bell’s press release.

The viewership peaked during the second set with 5.3 million viewers.

Source: Bell Media

The post Bianca Andreescu’s US Open championship watched more than 2019 Stanley Cup final appeared first on MobileSyrup.

SAN FRANCISCO, Calif., September 5, 2019 — Purism begins its iterative shipping schedule for the much anticipated Librem 5 phone running PureOS.

The Librem 5 phone is built from the ground up to respect the privacy, security, and freedoms of society. It is a revolutionary approach to solving the issues that people face today around data exploitation — putting people in control of their own digital lives.

Due to the high volume, growing demand for the Librem 5, and in the interest of openness and transparency, Purism is publishing its full, detailed, iterative shipping schedule. This expands on the existing commitment to start shipping in Q3 by defining specific batches, their features, and their corresponding ship dates.

Most companies keep their release and product plans secret right up until mass production launch, so they can avoid publicizing any setbacks or delays; but we have decided to bring our community and customers along with us for the Librem 5 journey, and have been transparent about our progress from the beginning. This means you have been able to celebrate along with us as we have reached milestones like shipping our devkit in 2018, the NXP CPU silicon issues we had to overcome, placing our first call in early 2019, sending our first SMS. You have been able to track our software progress directly from our public code repositories and watch live updates to libhandy, Phosh, Chatty, and the rest of our software. And we are compliant with, and submitting for, the “Respects Your Freedom” certification from the Free Software Foundation.

The iteration schedule starts in September, 2019, and the Librem 5 will be shipping in batches with incrementing code names. Each iteration improves upon the prior in a rapid rolling release throughout the entire first version of the phone, including the public plans for the second revision of the phone for context.

Every iteration includes updates to hardware, mechanical design, and software. We will be contacting each customer to confirm their shipping address, which modem and power supply they would like, and to confirm which shipping batch they are currently scheduled to receive — and to give them an opportunity to select a later batch than they are scheduled for, should they prefer to wait for a later iteration. As slots in a particular early batch free up, we will open it up for others in a later batch to join in, according to the date of the order.

If you haven‘t yet placed your order (or want to place an additional order) — the sooner you order, the earlier the shipping batch you will be added into.

Batch Aspen

Hardware: Initial board, all hardware components included.

Mechanical Design: Individually milled case, loose fit, varying alignment, unfinished switch caps (hand crafted).

Software: Initial release of core Apps, manage contacts, basic web browsing, early power management, software updates from the PureOS Store via the terminal.

Certifications: FCC and CE for Radios

Shipping window: September 24th – October 22nd (internal batch)

Batch Birch

Hardware: Next run of board, all hardware included.

Mechanical Design: Aspen + tighter fit, improved alignment.

Software: Aspen + improved setup, improved web browsing, improved power management.

Certifications: FCC and CE for Radios

Shipping window: October 29th – November 26th (delivered on time)

Batch Chestnut

Hardware: All hardware included.

Mechanical Design: Birch + capped switches.

Software: Birch + final setup, improved web browsing, improved power management.

Certifications: FCC and CE for Radios

Shipping window: December 3rd – December 31st (delivered on time)

Batch Dogwood

Hardware: All hardware included.

Mechanical Design: Chestnut + refinements.

Software: Chestnut + core apps improved, additional applications, refined graphical PureOS Store.

Certifications: FCC and CE for Radios

Shipping window: January 7th – March 31st (delayed due to Coronavirus outbreak)

Expected shipping window: End of April 2020

Batch Evergreen

Hardware: All hardware included.

Mechanical Design: Molded case.

Software: Long term support release

Certifications: FCC and CE

Shipping window: Q2 2020 (delayed due to Coronavirus outbreak)

Expected shipping start: Mid August

Batch Fir

Hardware: 14nm Next Generation CPU

Mechanical Design: Version 2

Software: Long term support release

Certifications: FCC and CE

Shipping window: Q4 2020 (delayed due to Coronavirus outbreak)

Expected shipping to be updated.

Thank you to all the supporters who continue to share the Purism story with the world — this is a long-term movement around creating a digital society that respects people. Purism started in 2014 and has been growing triple digits year-over-year. The Librem 5 project started in 2017 with early bird backers rapidly funding the 60 day campaign that blew past the $2.5m mark. The Librem 5 devkit was released in December 2018. Software inventions and releases have been ongoing for a few years. Now we begin the iterative production releases of the Librem 5 phone, which our entire team is very excited to share.

 

---

About Purism

Purism is a Social Purpose Corporation devoted to bringing security, privacy, software freedom, and digital independence to everyone’s personal computing experience. With operations based in San Francisco, California, and around the world, Purism manufactures premium-quality laptops and phones, creating beautiful and powerful devices meant to protect users’ digital lives without requiring a compromise on ease of use. Purism designs and assembles its hardware by carefully selecting internationally sourced components to be privacy-respecting and fully Free-Software-compliant. Security and privacy-centric features come built-in with every product Purism makes, making security and privacy the simpler, logical choice for individuals and businesses.

Media Contact

Marie Williams, Coderella / Purism +1 415-689-4029 pr@puri.sm

See also the Purism press room for additional tools and announcements

 

The post Librem 5 Shipping Announcement appeared first on Purism.

mkalus shared this story from Science-Based Medicine.

---