quick recap

• arc boosts can contain arbitrary javascript
• arc boosts are stored in firestore
• the arc browser gets which boosts to use via the creatorID field
• we can arbitrarily chage the creatorID field to any user id

thus, if we were to find a way to easily get someone elses user id, we would have a full attack chain

when someone referrs you to arc, or you referr someone to arc, you automatically get their user id in the user_referrals table, which means you could just ask someone for their arc invite code and they'd likely give it

About the explosion of pagers in Lebanon.

On Tuesday things changed. Whoever got admitted at the hospital with a specific kind of injury will end up in some list. Social networks will be traced and new targets will be identified.

The lessons that software developers can learn: Supply chain attacks in the real world happen every day!

I want to insist because it seems that it's not clear for everyone yet. There is no other way to mitigate software supply chain attacks for an ecosystem / programming language than to build an extensive standard library.

If Rust want to be seriously considered to build the foundations of computing, the number one and only priority of the Rust foundation should be to work on building an "extended standard library", let's call it stdx

À voir comment cette loi sera appliquée; et comment les entreprises montrerons la rémunération.

[about the tech stack with k8s] the payoff feels abstract and are hard to quantify.

It's the same for OSS dependencies.

what if platforms like AWS or GitHub started splitting the check? By adding a line-item to the invoices of their customers to support Open Source finding.

For example, 3% ?

OSS projects have no governance and most of them are not ready to receive money though. How to distribute this tax too?

Another model is to pay depending of how many developer there are in the company.

The second step after recognizing the OSS funding issue is having a baseline funding amount.

La Commission pourra faire appel de cette décision.

LinkedIn content is now used to train AI.

There’s some good news for users in the EU, the UK, Iceland, Norway, Liechtenstein (both of them!) and Switzerland as their data isn’t being used to train LinkedIn's AI at all and won't for the foreseeable future.

Mediapart, Le Canard Enchaîné, La Lettre, Glitz Paris, Miss Tweed, L'Informé, Puck (US).

Des toilettes sèches pour consommer moins d'eau et revaloriser l'urine riche en azote (illustration).

Brands go to Sans Serif fonts and uniform logos.

Reasons?

• "modern utility": Cleaner and more legible, they are better suited to a variety of media and work particularly well online. The purity of these fonts allows the brands to be an empty vessel, ready to accommodate rapidly shifting trends.
• simplification: to being a trusted, dependable part of people’s everyday lives.
• Brands are also defined by their products now: they become words and does not need a big logo.
• readability: even if it is becoming less of an issue

Shoot for simplicity and legibility, but keep your distinguishing features. Don’t throw away what the brand has been working on for decades.

Une critique de la vidéo de McFly et Carlito avec Jean-Marc Jancovici. Certains sujets pertinent ont été abordé.

En revanche, les inégalités sociales face à l'écologie ont été absent de la discussion, de même que la gestion des transports (en réduisant le débat à la voiture) et des autres considérations que le carbone.

si ces actions individuelles ne sont accompagnées d’aucun changement politique, ces petits gestes resteront vains.

avoir recours au covoiturage est une bonne pratique pour réduire nos émissions liées au transport, mais cela n’enlève rien au fait que de nombreux territoires français sont dépendants de la voiture, elle-même dépendante de l’essence ou du diesel.

La sensibilisation aux plus grand nombre est cependant primordiale !