Why Twitter can't agree on a simple math equation
I came across this tweet this morning, followed by the replies of approximately 9.7 thousand people arguing over what the correct answer actually is.
Responsive deep work
Remote work skills are more critical than ever and I’m feeling pretty lucky lately to have been working remotely the past few years. I used to summarize remote work as something that’s “great for some, but not for everyone”. I felt it would always collapse to one of two states:
How contact tracing retains cryptographic privacy
Apple and Google are working on a new contact tracing protocol, built on top of Bluetooth broadcasts, that governments can use to build contact tracing mobile apps for end-users. It just released this week. We’ve heard lots of talk about how this is “privacy preserving”.
You may think that it would be pretty challenging to keep a record of everyone you’ve seen, and compare that to a record of who everyone else has seen, without sharing any records of where anyone has been. This post covers how we can do it.
Developers don't understand CORS
One of the best things about working in full stack consulting is that I get to work with a great number of developers with different skill levels in companies from various sizes and industries. This provides an opportunity to see what universal struggles come up. One that seems common and relevant recently is this: Too many web developers do not understand how CORS works.
Entropy loss for reinforcement learning
Reinforcement learning agents are notoriously unstable to train compared to other types of machine learning algorithms. One of the ways that a reinforcement learning algorithm can underperform is by becoming stuck during training on a strategy that is neither a good solution nor the absolute worst solution. We generally refer to this phenomenon as reaching a “local minimum” in the space of game strategies.
Executing gradient descent on the earth
A common analogy for explaining gradient descent goes like the following: a person is stuck in the mountains during heavy fog, and must navigate their way down. The natural way they will approach this is to look at the slope of the visible ground around them and slowly work their way down the mountain by following the downward slope.
This captures the essence of gradient descent, but this analogy always ends up breaking down when we scale to a high dimensional space where we have very little idea what the actual geometry of that space is. Although, in the end it’s often not a practical concern because gradient descent seems to work pretty well.
But the important question is: how well does gradient descent perform on the actual earth?
Stealing credentials with a malicious node module
A common misconception I’ve seen while talking to people in the node ecosystem is that a module’s “reach” is contained to the context it is used in. This is not the case. Every single module you import, if turned malicious, can affect any other module that you depend on.
To demonstrate this concept, I’ve created the module multiply-by-two. This module contains a syncronous function which returns the provided number multiplied by two. Additionally, if you use express and Stripe, it will capture your users’ credit card details via an injected XSS attack.
Dangerous use of express body-parser
Cross-Site Request Forgery, or CSRF, is a type of attack that developers are familiar with in traditional web applications, but often misunderstand or forget about when it comes to new REST API’s. Fortunately, much of this misunderstanding and lack of consideration occurs because full page applications often don’t need to worry about CSRF. While many architectural differences in REST reduce the risk of CSRF attacks, that doesn’t mean we can simply ignore them entirely. Express’s body-parser module is a great recent example of this.
Privilege escalation via Docker
TLDR; Don’t use the ‘docker’ group
Docker, if you aren’t already familiar with it, is a lightweight runtime and packaging tool. It’s very similar to simply running a basic virtual machine, but with much less overhead. It’s extremely nice for deploying applications as you can guarantee that they will run in identical environments, and the commit-like image system is handy as well.
If you happen to have gotten access to a user-account on a machine, and that user is a member of the ‘docker’ group, running the following command will give you a root shell:
Thirty days of casual soylent
During the month of September 2014 I experimented with a DIY version of soylent. I know that many people have started using the food substitute as a sole source of nutrition, but I wanted to focus on using soylent in a more casual manner. Specifically, as a student food on campus is often expensive and homemade lunches are often difficult to carry around, not nutritious, or require reheating. Soylent is none of those things, so for a student I was suspecting it might make an ideal lunch substitute.