Labnotes

Weekend Reading — Round up: Komodia

Published on

Design Objective

Why Samsung Design Stinks The story that wants to make you feel better about "Designed in the U.S." and conveniently forgets that "shipping" and "profit" are what separates art from design:

New designs have to make their way through this structure, and managers have to be able to justify their profitability.
...
One common misstep Lee encountered was that Valley companies would design products with impossible specs—like wearables that required battery technology that didn't exist.

Responsible Social Share Links

Stop loading third-party scripts

It’s important to design and build sites responsibly—people pay for data and to truly serve a global audience where 3G and 4G networks are luxuries or nonexistent, every byte of data transferred matters.


Tools of the Trade

MUI "MUI is a lightweight HTML, CSS and JS framework for sites that follow Google's Material Design guidelines." And it even supports HTML emails!

Responsive Email Layouts for Gmail App Android is the new IE: here's what you need to know about supporting Gmail and Android in its latest and legacy versions.

Font Loading Revisited with Font Events Dealing with the dreaded FOIT (Flash of Invisible Text), this time using the proposed font events API.

websocketd "It's like CGI, twenty years later, for WebSockets"

HTTP/2 is Done Remember when we could talk to HTTP servers using telnet/nc?

What Is WebRTC and How Does It Work?

Cutting out the inner part of an element using clip-path

Better SVG Fallback and Art Direction With The Element

BitcoinEmissions A project to calculate CO2 emissions of mining bitcoin:

According to our calculations as of May 1st 2014 each bitcoin will release ~103 kg of CO2 into the atmosphere. That happens once every 24 seconds.


Lingua Scripta

io.js Roadmap What's ahead for io.js. This presentation is work in progress, so expect it to change. Meanwhile, release notes for io.js 1.3.0.

Classes in ECMAScript 6 (final semantics) For a brief moment in time, classes in JavaScript are both simple and elegant. Let's savor the moment.


Lines of Code

Excuses For Lazy Coders Can't. Stop. Refreshing.

How Pac-Man’s Ghosts Think & Hunt Smart behavior from simple algorithms that fit in 16KB of ROM.


Round up: Komodia

Lenovo PCs ship with man-in-the-middle adware that breaks HTTPS connections TL;DR So Lenovo got confused about its business model, decided to pre-load new PCs with spyware. If you bought a Lenovo in the past year, now's the time to panic.

Extracting the SuperFish certificate This is how easy it was to extract the certificate and password from SuperFish:

I ran my cracking tool, and found the password in 10 seconds, "komodia".

Komodia/SuperFish SSL Validation is Broken Turns out it wasn't necessary to extract the certificte: SuperFish accepts any self-signed certificate. It basically turns all your HTTPS into HTTP.

Windows SSL Interception Gone Wild The problem is bigger than Lenovo/SuperFish alone:

We've observed more than a dozen other software applications using the Komodia library, and many of these applications appear to be suspicious.

Awesome Screenshot the Safari extension considered harmful Don't be smug. Even developer tools got infected with this crap.


Locked Doors

How “omnipotent” hackers tied to NSA hid for 14 years—and were found at last The epic toolkit of the Equation Group that can even infect air-gapped computers:

GrayFish is the crowning achievement of the Equation Group. The malware platform is so complex that Kaspersky researchers still understand only a fraction of its capabilities and inner workings. Key to the sophistication of GrayFish is its bootkit, which allows it to take extraordinarily granular control of the machines it infects.

The Great SIM Heist When the NSA/GCHQ grow tired of asking court approval to evesdrop on your cell phone, they just go stealing all the SIM card keys.

Detecting and exploiting path-relative stylesheet import (PRSSI) vulnerabilities How error correction in browsers and tolerant Web servers combine to allow XSS vulnerability. A lesson in how impossible it is to anticipate every attack vector.

@thegrugq "Hackers gonna hack."


None of the Above

@sorrynotsorryy

Remember when teachers used to say 'You won’t have a calculator everywhere you go.' Well, we showed them.

The Crowdsourcing Scam TL;DR crowd sourcing presents itself as flexible schedule and helping people monetize their free time; in reality, we're rolling the clock back to 19th century labor practices.

BoredElonMusk "Printer cost versus quality."

NotLooking.io "Keep employers, recruiters and headhunters at bay, until you need them!"

InstaDoom Remember Doom? This brilliant mod gives your character Instagram filters and a selfie stick!