jm + javascript   53

Malicious packages in npm
The node.js packaging system is being exploited by bad guys to steal auth tokens at build time. This is the best advice they can come up with:
Always check the name of packages you’re installing. You can look at the downloads number: if a package is popular but the downloads number is low, something is wrong.


:facepalm: What a mess. Security needs to become a priority....
javascript  security  npm  node  packaging  packages  fail 
7 weeks ago by jm
SECURITY ALERT - Critical bug in Parity's MultiSig-Wallet
'Together, we were able to determine that malicious actors had exploited a flaw in the Parity Multisig code, which allowed a known party to steal over 153,000 ETH from several projects including Edgeless Casino, Aeternity, and Swarm City.'

by leaving "internal" (a visibility restricting keyword) off of the wallet contract, it was possible for attackers to steal millions from a "secure" multi-sig wallet in Ethereum: https://press.swarm.city/parity-multisig-wallet-exploit-hits-swarm-city-funds-statement-by-the-swarm-city-core-team-d1f3929b4e4e

https://twitter.com/ncweaver/status/887821804038873088 : 'Time from "OMFG there is a bug" to "geez, someone steal $16M"? 2 hours. Gotta love JavaScript FunBukx, err Ethereum'
ethereum  fail  security  exploits  javascript  parity 
9 weeks ago by jm
DoppioJVM
'A Java Virtual Machine written in 100% JavaScript.' Wrapping outbound TCP traffic in websockets, mad stuff
jvm  java  javascript  js  hacks  browser  emulation  websockets 
10 weeks ago by jm
left-pad.io
A microservice saviour appears!
In order to prevent such a terrible tragedy from occurring ever again during
our lifetimes, `left-pad.io` has been created to provide all the functionality
of `left-pad` AND the overhead of a TLS handshake and an HTTP request.
Less code is better code, leave the heavy lifting to `left-pad.io`, The String
Experts™.
humor  javascript  jokes  npm  packages  left-pad  strings  microservices  http 
march 2016 by jm
Javascript libraries and tools should bundle their code
If you have a million npm dependencies, distribute them in the dist package; aka. omnibus packages for JS
packaging  omnibus  npm  webpack  rollup  dependencies  coding  javascript 
march 2016 by jm
Flow
a static type checker for Javascript, from Facebook
javascript  code-analysis  coding  facebook  types  strong-types 
march 2016 by jm
Plotly
Online chart maker for CSV and Excel data; make charts and dashboards online. One really nice feature is that charts made this way get permalinks, and can be easily inlined as PNGs or HTML5 divs. (See https://www.vividcortex.com/blog/analyzing-sparks-mpp-scalability-with-the-usl for an example.)
data  javascript  python  tools  visualization  dataviz  charts  graphing  web  plotly  plots  graphs 
january 2016 by jm
A Gulp Workflow for Amazon Lambda
'any nontrivial development of Lambda functions will require a simple, automated build/deploy process that also fills a couple of Lambda’s gaps such as the use of node modules and environment variables.'

See also https://medium.com/@AdamRNeary/developing-and-testing-amazon-lambda-functions-e590fac85df4#.mz0a4qk3j : 'I am psyched about Amazon’s new Lambda service for asynchronous task processing, but the ideal development and testing cycle is really left to the engineer. While Amazon provides a web-based console, I prefer an approach that uses Mocha. Below you will find the gritty details using Kinesis events as a sample input.'
lambda  aws  services  testing  deployment  ops  mocha  gulp  javascript 
december 2015 by jm
Lambda: Bees with Frickin' Laser Beams
a HTTP testing tool in AWS Lambda. nice enough, but still a toy...
lambda  aws  node  javascript  hacks  http  load-testing 
may 2015 by jm
Google Online Security Blog: A Javascript-based DDoS Attack [the Greatfire DDoS] as seen by Safe Browsing
We hope this report helps to round out the overall facts known about this attack. It also demonstrates that collectively there is a lot of visibility into what happens on the web. At the HTTP level seen by Safe Browsing, we cannot confidently attribute this attack to anyone. However, it makes it clear that hiding such attacks from detailed analysis after the fact is difficult.

Had the entire web already moved to encrypted traffic via TLS, such an injection attack would not have been possible. This provides further motivation for transitioning the web to encrypted and integrity-protected communication. Unfortunately, defending against such an attack is not easy for website operators. In this case, the attack Javascript requests web resources sequentially and slowing down responses might have helped with reducing the overall attack traffic. Another hope is that the external visibility of this attack will serve as a deterrent in the future.


Via Nelson.
google  security  via:nelson  ddos  javascript  tls  ssl  safe-browsing  networking  china  greatfire 
april 2015 by jm
32-bit overflow in BitGo js code caused an accidental 85 BTC transaction fee
Yes, this is a fucking 32-bit integer overflow. Whatever software was used, it calculated the sum of all inputs using 32-bit variables, which overflow at about 20 BTC if signed or 40 BTC if not. The fee was supposed to be 0xC350 = 50,000 satoshis, but it turned out to be 0x2,0000,C350 = 8,589,984,592 satoshis.
Captains of the industry. If they were captains of any other industry, like say for example automotive, we'd have people dying in car crashes between two stationary vehicles.
bitcoin  fail  bitgo  javascript  bugs  32-bit  overflow  btc 
april 2015 by jm
Writing Minecraft Plugins - The Book
wow, Walter Higgins' book (from Peachpit Press) is looking great
books  reading  minecraft  walter-higgins  javascript 
april 2015 by jm
Javascript Acid Machine
a 303 and an 808 (correction: apparently more like a 909) in your browser. this is deadly
acid  303  music  javascript  hacks  via:hn  techno 
march 2015 by jm
Embed-able Computers are a Thing. — February 12, 2015
'If it works, a copy of Burgertime for DOS is now in your browser, clickable from my entry. If it doesn’t… well, no Burgertime for you. (Unless you visit the page.) There’s a “share this” link in the new archive.org interface for sharing these in-browser emulations in web pages, weblogs and who knows what else.'
sharing  embeds  html  javascript  emulation  msdos  burgertime  games  archive.org 
february 2015 by jm
Flow, a new static type checker for JavaScript
Unlike the (excellent) Typescript, it'll infer types:
Flow’s type checking is opt-in — you do not need to type check all your code at once. However, underlying the design of Flow is the assumption that most JavaScript code is implicitly statically typed; even though types may not appear anywhere in the code, they are in the developer’s mind as a way to reason about the correctness of the code. Flow infers those types automatically wherever possible, which means that it can find type errors without needing any changes to the code at all. On the other hand, some JavaScript code, especially frameworks, make heavy use of reflection that is often hard to reason about statically. For such inherently dynamic code, type checking would be too imprecise, so Flow provides a simple way to explicitly trust such code and move on. This design is validated by our huge JavaScript codebase at Facebook: Most of our code falls in the implicitly statically typed category, where developers can check their code for type errors without having to explicitly annotate that code with types.
facebook  flow  javascript  coding  types  type-inference  ocaml  typescript 
november 2014 by jm
MetricsGraphics.js - a library based on D3.js, optimized for visualizing and laying out time-series data
MetricsGraphics.js is a library built on top of D3 that is optimized for visualizing and laying out time-series data. It provides a simple way to produce common types of graphics in a principled, consistent and responsive way. The library currently supports line charts, scatterplots and histograms as well as features like rug plots and basic linear regression.
charts  javascript  timeline  visualization  time-series  d3 
november 2014 by jm
AtScript
a new "types for Javascript" framework, from the team behind Angular.js -- they plan to "harmonize" it with TypeScript and pitch it for standardization, which would be awesome.

(via Rob Clancy)
via:robc  atscript  javascript  typescript  types  languages  coding  google  angular 
october 2014 by jm
Comcast Wi-Fi serving self-promotional ads via JavaScript injection | Ars Technica
Comcast is adding data into the broadband packet stream. In 2007, it was packets serving up disconnection commands. Today, Comcast is inserting JavaScript that is serving up advertisements, according to [Robb] Topolski, who reviewed Singel's data. "It's the duty of the service provider to pull packets without treating them or modifying them or injecting stuff or forging packets. None of that should be in the province of the service provider," he said. "Imagine every Web page with a Comcast bug in the lower righthand corner. It's the antithesis of what a service provider is supposed to do. We want Internet access, not another version of cable TV."


The company appears to be called Front Porch: http://arstechnica.com/tech-policy/2014/09/meet-the-tech-company-performing-ad-injections-for-big-cable/
comcast  ads  injection  security  javascript  http  network-neutrality  isps 
september 2014 by jm
A dive into a UTF-8 validation regexp
Once again, I find myself checking over the UTF-8 validation code in websocket-driver, and once again I find I cannot ever remember how to make sense of this regex that performs the validation. I just copied it off a webpage once and it took a while (and reimplementing UTF-8 myself) to fully understand what it does. If you write software that processes text, you’ll probably need to understand this too.
utf-8  unicode  utf8  javascript  node  encoding  text  strings  validation  websockets  regular-expressions  regexps 
june 2014 by jm
S3 as a single-web-page application engine
neat hack. Pity it returns a 403 error code due to the misuse of the ErrorDocument feature though
s3  javascript  single-page  web  html  markdown  hacks 
april 2014 by jm
Sky parental controls break many JQuery-using websites
An 11 hour outage caused by a false positive in Sky's anti-phishing filter; all sites using the code.jquery.com CDN for JQuery would have seen errors.
Sky still appears to be blocking code.jquery.com and all files served via the site, and more worryingly is that if you try to report the incorrect category, once signing in on the Sky website you an error page. We suspect the site was blocked due to being linked to by a properly malicious website, i.e. code.jquery.com and some javascript files were being used on a dodgy website and every domain mentioned was subsequently added to a block list.


(via Tony Finch)
via:fanf  sky  filtering  internet  uk  anti-phishing  phish  jquery  javascript  http  web  fps  false-positives 
january 2014 by jm
James Friend | PCE.js - Classic Mac OS in the Browser
This is a demo of PCE's classic Macintosh emulation, running System 7.0.1 with MacPaint, MacDraw, and Kid Pix. If you want to try out more apps and games see this demo.


Incredible. I remember using this version of MacPaint!
javascript  browser  emulation  mac  macos  macpaint  macdraw  claris  kid-pix  history  desktop  pce 
january 2014 by jm
A sampling profiler for your daily browsing - Google Groups
via Ilya Grigorik: Chrome Canary now has a built-in, always-on, zero-overhead code profiler. I want this in my server-side JVMs!
chrome  tracing  debugging  performance  profiling  google  sampling-profiler  javascript  blink  v8 
january 2014 by jm
earth wind map
Beautiful d3.js dataviz of wind patterns and forecasts, projected against a vector Earth map
earth  map  visualization  weather  javascript  d3.js  dataviz  wind  forecasts  maps 
january 2014 by jm
vimeo/timeserieswidget
'Plugin to make highly interactive graphite graph objects ((i.e. graphs where you can interactively toggle on/off individual series, inspect datapoints, zoom in realtime, etc) Supports Flot (canvas), Rickshaw (svg) and standard graphite png images (in case you're nostalgic and don't like interactivity).'
graphs  graphing  graphite  dataviz  flot  rickshaw  svg  canvas  javascript 
september 2013 by jm
The algorithm for a perfectly balanced photo gallery – Summit Stories from Crispy Mountain
Nice application of a partitioning exhaustive search algorithm using dynamic programming (via Tom)
algorithms  javascript  python  dynamic-programming  partitioning  images  gallery 
august 2013 by jm
The Trello Tech Stack
Good description of how Fog Creek built out their Trello product; client-side JS rendering, model synced across the wire, HAProxy, Redis, and WebSockets. Bookmarked notably for this paragraph, which doesn't ameliorate my fear of WebSockets as a tech:
The Socket.io server currently has some problems with scaling up to more than 10K [jm: oh dear] simultaneous client connections when using multiple processes and the Redis store, and the client has some issues that can cause it to open multiple connections to the same server, or not know that its connection has been severed.
websockets  javascript  architecture  fog-creek  trello  ajax  push 
july 2013 by jm
Fat Tails
Nice d3.js demo of the fat-tailed distribution:
A fat-tailed distribution looks normal but the parts far away from the average are thicker, meaning a higher chance of huge deviations. [...] Fat tails don't mean more variance; just different variance. For a given variance, a higher chance of extreme deviations implies a lower chance of medium ones.
dataviz  via:hn  statistics  visualization  distributions  fat-tailed  kurtosis  d3.js  javascript  variance  deviation 
july 2013 by jm
js-hll
Good UI for exploration of HyperLogLog set intersections and unions.
One of the first things that we wanted to do with HyperLogLog when we first started playing with it was to support and expose it natively in the browser. The thought of allowing users to directly interact with these structures -- perform arbitrary unions and intersections on effectively unbounded sets all on the client -- was exhilarating to us. [...] we are pleased to announce the open-source release of AK’s HyperLogLog implementation for JavaScript, js-hll. We are releasing this code under the Apache License, Version 2.0.

We knew that we couldn’t just release a bunch of JavaScript code without allowing you to see it in action — that would be a crime. We passed a few ideas around and the one that kept bubbling to the top was a way to kill two birds with one stone. We wanted something that would showcase what you can do with HLL in the browser and give us a tool for explaining HLLs. It is typical for us to explain how HLL intersections work using a Venn diagram. You draw some overlapping circles with a border that represents the error and you talk about how if that border is close to or larger than the intersection then you can’t say much about the size of that intersection. This works just ok on a whiteboard but what you really want is to just build a visualization that allows you to select from some sets and see the overlap. Maybe even play with the precision a little bit to see how that changes the result. Well, we did just that!
javascript  ui  hll  hyperloglog  algorithms  sketching  js  sets  intersection  union  apache  open-source 
june 2013 by jm
Gap's application of Knockout.js and the MVVM model
Interesting, first time I'd heard of it; the Model-View-View Model pattern.
mvvm  architecture  javascript  web  ui  knockout-js  martin-fowler  json 
april 2013 by jm
Google Drive SDK
realtime collaboration API. nifty! but can it collaborate on a per-app shared doc, or does it require that the app user auth to Google and access their own docs?
collaboration  api  realtime  google  javascript 
march 2013 by jm
Literate Jenks Natural Breaks and How The Idea Of Code is Lost
A crazy amount of code archaeology to discover exactly an algorithm -- specifically 'Jenks natural breaks", works, after decades of cargo-cult copying (via Nelson):

'I spent a day reading the original text and decoding as much as possible of the code’s intention, so that I could write a ‘literate’ implementation. My definition of literate is highly descriptive variable names, detailed and narrative comments, and straightforward code with no hijinks.

So: yes, this isn’t the first implementation of Jenks in Javascript. And it took me several times longer to do things this way than to just get the code working.

But the sad and foreboding state of this algorithm’s existing implementations said that to think critically about this code, its result, and possibilities for improvement, we need at least one version that’s clear about what it’s doing.'
jenks-natural-breaks  algorithms  chloropleth  javascript  reverse-engineering  history  software  copyright  via:nelson 
february 2013 by jm
Network graph viz of Irish politicians and organisations on Twitter
generated by the Clique Research Cluster at UCD and DERI. 'a visualization of the unified graph representation for the users in the data, produced using Gephi and sigma.js. Users are coloured according to their community (i.e. political affiliation). The size of each node is proportional to its in-degree (i.e. number of incoming links).' sigma.js provides a really user-friendly UI to the graphs, although -- as with most current graph visualisations -- it'd be particularly nice if it was possible to 'tease out' and focus on interesting nodes, and get a pasteable URL of the result, in context. Still, the most usable graph viz I've seen in a while...
graphs  dataviz  ucd  research  ireland  twitter  networks  community  sigma.js  javascript  canvas  gephi 
january 2013 by jm
Data distribution in the cloud with Node.js
Very interesting presentation from ex-IONAian Darach Ennis of Push Technology on eep.js, embedded event processing in Javascript for node.js stream processing. Handles tumbling, monotonic, periodic and sliding windows at 8-40 million events per second; no multi-dimensional, infinite or predicate event-processing windows. (via Sergio Bossa)
via:sbtourist  events  event-processing  streaming  data  ex-iona  darach-ennis  push-technology  cep  javascript  node.js  streams 
october 2012 by jm
Cubism.js
'a D3 plugin for visualizing time series. Use Cubism to construct better realtime dashboards.' Apache-licensed; nice realtime update style; overlays multiple data sources well. I think I now have a good use-case for this
javascript  library  visualization  dataviz  tsd  data  apache  open-source 
april 2012 by jm
JS1k, 1k demo submission
a speech synthesizer in 1 KB of javascript. truly awesome, nice work by @p01
js1k  javascript  demos  speech  hacks  coding 
march 2012 by jm
Worldtime Buddy
easy timezone conversion -- bookmarkable URLs, sensible levels of AJAX/JS, nicely done
timezones  time  conversion  javascript  world 
may 2011 by jm
Javascript PC Emulator
truly incredible -- quite fast (about 386 speeds) under Chrome, even! from the HN comments: 'I just forkbombed my browser. Nothing is sacred anymore.' more comments at http://news.ycombinator.com/item?id=2555349
browser  javascript  linux  emulation  fabrice-bellard  hacks  amazing  cool  google-chrome  x86 
may 2011 by jm
Bulletproof Node.js Coding
lots of patterns to write safe node.js code.  Pretty daunting, to be honest
javascript  node.js  coding  programming  async  from delicious
march 2011 by jm
Tunisian government harvesting usernames and passwords
injects JS onto Google, Facebook, Yahoo! non-encrypted login pages to submit the typed username and password against nonexistent http URLs, e.g. 'http://www.google.com/wo0dh3ad', presumably so that DPI logging can collect them. apparently the HTTPS login pages are blocked to force use of HTTP
tunisia  via:pjakma  security  snooping  surveillance  https  javascript  from delicious
january 2011 by jm
Every Time Zone
"Never warp your brain with time zone math again." Quite a useful javascript TZ conversion tool, although it could be more intuitive still
conversion  javascript  reference  timezones  time  international  from delicious
april 2010 by jm
How do we kick our synchronous addiction?
great post on the hazards of programming in an async framework, and how damn hard it is. good comments thread too (via jzawodny)
via:jzawodny  coding  python  javascript  scalability  ruby  concurrency  erlang  async  node.js  twisted  from delicious
february 2010 by jm
dygraphs JavaScript Visualization Library
'an open source JavaScript library that produces produces interactive, zoomable charts of time series. It is designed to display dense data sets and enable users to explore and interpret them.' quite pretty
time-series  data  tsd  graphs  charts  javascript  via:reddit  dataviz  visualization  opensource  dygraphs  from delicious
december 2009 by jm
Node.js
I'm late to the party, but this sounds lovely
javascript  server  http  web  comet  closures  node.js  event  from delicious
november 2009 by jm
Time Warner Cable Exposes 65,000 Customer Routers to Remote Hacks
massive fail. 'By simply disabling Javascript in his browser, he was able to [...] dump the router’s configuration file [...which] included the administrative login and password in cleartext.'
smc8014  doh  privacy  internet  security  fail  time-warner  via:reddit  pathetic  javascript  from delicious
october 2009 by jm
Nelson Minar plugs a new way to write web apps
Every HTML page is static -- the dynamic parts are entirely DOM-injected from server-delivered JSON by client-side Javascript. No dynamic data is delivered in HTML. I'm thinking about this, and it does seem to bring a lot of positives. hmm
dom  javascript  json  web-apps  web  nelson-minar  ajax  from delicious
september 2009 by jm
Embeddable Google Document Viewer
'Google Docs offers an undocumented feature that lets you embed PDF files and PowerPoint presentations in a web page. The files don't have to be uploaded to Google Docs, but they need to be available online.' sweet!
google  google-docs  javascript  iframe  content  pdf  adobe  html  web  documentation  embedding  powerpoint  ppt  viewer  embed  embedded  from delicious
september 2009 by jm

related tags

32-bit  acid  adobe  ads  ajax  algorithms  amazing  angular  anti-phishing  apache  api  architecture  archive.org  async  atscript  aws  bitcoin  bitgo  blink  books  browser  btc  bugs  burgertime  c10k  canvas  cep  charts  china  chloropleth  chrome  claris  closures  code-analysis  coding  collaboration  comcast  comet  community  concurrency  content  conversion  cool  copyright  d3  d3.js  darach-ennis  data  dataviz  ddos  debugging  demos  dependencies  deployment  desktop  deviation  distributions  documentation  doh  dom  dygraphs  dynamic-programming  earth  embed  embedded  embedding  embeds  emulation  encoding  erlang  escaping  estimation  ethereum  event  event-processing  events  ex-iona  exploits  fabrice-bellard  facebook  fail  false-positives  fat-tailed  filtering  flot  flow  fog-creek  forecasts  fps  gallery  games  gephi  google  google-chrome  google-docs  graphing  graphite  graphs  greatfire  gulp  hacker-news  hacks  history  hll  html  http  https  humor  hyperloglog  iframe  images  injection  international  internet  intersection  ireland  isps  java  javascript  jenks-natural-breaks  jokes  jquery  js  js1k  json  jvm  kid-pix  knockout-js  kurtosis  lambda  languages  left-pad  library  linux  load-testing  loglog  long-poll  mac  macdraw  macos  macpaint  map  maps  markdown  martin-fowler  md5  microservices  minecraft  mocha  msdos  music  mvvm  nelson-minar  network-neutrality  networking  networks  node  node.js  npm  ocaml  omnibus  open-source  opensource  ops  overflow  packages  packaging  parity  partitioning  pathetic  pce  pdf  performance  phish  plotly  plots  powerpoint  ppt  privacy  profiling  programming  push  push-technology  python  reading  realtime  reddit  reference  regexps  regular-expressions  research  reverse-engineering  rickshaw  rollup  ruby  s3  safe-browsing  sampling-profiler  scalability  scaling  security  server  services  sets  sharing  sigma.js  single-page  sketching  sky  smc8014  snooping  software  speech  ssl  statistics  stream-processing  streaming  streams  strings  strong-types  surveillance  svg  techno  testing  text  time  time-series  time-warner  timeline  timezones  tls  tools  tracing  trello  tsd  tunisia  twisted  twitter  type-inference  types  typescript  ucd  ui  uk  unicode  union  unix  utf-8  utf8  v8  validation  variance  via:fanf  via:hn  via:jzawodny  via:nelson  via:pjakma  via:reddit  via:robc  via:sbtourist  viewer  visualization  walter-higgins  weather  web  web-apps  webpack  websockets  wind  world  x86 

Copy this bookmark:



description:


tags: