Keith Wagner

Notes

Here you'll find short blurbs about interesting articles or blogs from others I've read and wanted to note.

Some thoughts on the YubiKey EUCLEAK Vulnerability

It looks like everyone's favourite FIDO token provider might have an unpatchable vulnerability! Much Sturm und Drang from the usual sources. But how bad is it really? Not so bad - but it does expose some weaknesses in the very idea of having physical tokens.

It also looks like the attacker will need:

  • Physical access to key
  • Username & password tied to account protected by key
  • $11,000 worth of equipment

So yes, it doesn’t seem to be an “easy” attack, but geez…it’s always something.

Cars Are Rolling Computers Now. So What Happens When They Stop Getting Updates?

Samsung and Google provide Android OS updates and security updates for seven years. Apple halts servicing products seven years after they stop selling them.

That might not cut it in the auto world, where the average age of cars on US roads is only going up. A recent report found that cars and trucks just reached a new record average age of 12.6 years, up two months from 2023. That means the car software hitting the road today needs to work—and maybe even improve—beyond 2036. The average length of smartphone ownership is just 2.8 years.

It’s not something that you might think about, but with all the technology in cars, how long will the tech be supported? Cars can last a long time if well maintained. Tech seems to be somewhat expendable.

My Honda Civic is now 10 years old and I don’t plan on getting rid of it anytime soon. The only “tech” I have in my car is the standard entertainment system, but newer cars have a whole lot more between cellular connectivity and much more.

Is it all going to be maintained and supported? Are security updates going to continue for the life of the car? What will GM, Ford, Honda and others consider the “life of the car”?

A Rant about Front-end Development

Chances are, the things you don’t like about CSS are the things you haven’t bothered to understand about it.

I will say, I did have gripes with CSS early in my career. The more I’ve used it though, the more I’ve grown to understand it. It can take some time to wrap your head around it. Dismissing it out of hand is not the answer.

My brothers and sisters in Christ I want you to know that I care about your souls enough to share these truths with you:

  • You don’t need JavaScript to make a web page.
  • You don’t need JavaScript to write styles.
  • You don’t need JavaScript to make an animation
  • You don’t need JavaScript just to show content.

I take pride in that my site limits its use of JavaScript. JS certainly has its place and I do use it, but boy do some developers rely on it for tasks that just don’t need it.

You don’t need a framework to render static content to the end user. Stop creating complex solutions to simple problems

Amen.

Every Dependency is a Potential Vulnerability

Every piece of code is a potential vulnerability, really. Not just dependencies.

But code that you don’t own, that’s outside your control, is particularly vulnerable.

One of the big myths of using frameworks and libraries and cloud services is that you no longer have the “own” that piece of the code. You’re benefiting from someone else having already solved it.

We deal with this a lot at my job and I think it's important to take note of. We thankfully have dependency checkers to catch known vulnerabilities in the packages we reference so issues are hopefully caught and identified sooner rather than later. But the fact remains that we can be at the mercy of the frameworks and libraries to fix them.

Third party developers could abandon their libraries or they only fix it in a version that has breaking changes compared with the version you're using. Either way, it means that you're now in a bind with your website or app.

This is not to say don't use third party libraries or frameworks. Most developers are fantastic and are legitimately doing their best to write good software. But it should cause you to do at least two things. First, be mindful of what dependencies you use. Second, do what you can to make sure you, and/or your company support the open source developers who make the tools you use.

Some Economic Ranting Regarding Trump

I try not to delve too much into politics here, but I heard this and thought it matters.

Here’s what she says in this tweet yesterday: “Trump brought up the idea” to that GOP meeting of “‘an all tariff policy’ that would lead to getting rid of the income tax, per sources in the room.” So, this. This frustrates me so deeply. Number one, because it’s just idiotic and economically illiterate, which I’ll explain in a moment. But number two, it is an example of the, I don’t want to say chasing our tails, but the knocking down of idiocy that the economic and financial media is going to have to do if the former president wins because facts matter. So, super quickly. I looked up these numbers. We generate $2.2 trillion in revenue from the income tax every single year. We import about $3.8 trillion worth of stuff into this economy every single year. So, in order to get $2.2 trillion to replace the income tax from a tariff on $3.8 trillion worth of income, you’d have to have a tariff of nearly 60% across the board, just to start, right? But what happens when you tax things? That is to say when you put tariffs on them, because tariffs aren’t taxed on imported goods that consumers pay so. When you tax things, people buy less of them, so our imports will go down, but we’ll have to still make that $2.2 trillion nut. So, our tariff rates are going to have to increase. As the tariff rates increase, the amount of stuff we’re going to buy is going to go down because when you tax stuff more, the amount of stuff you buy that is taxed goes down. And so on and so forth, until you get to a tariff rate of infinity. It’s just stupid. I can’t tell you how annoying this is to me, that we’re going to have to chase our tails on idiotic stuff like this because it’s being bandied about by a guy who, this isn’t me, this is Janet Yellen, does not understand the economy. It just. I can’t tell you how absolutely fried my brain gets when I think about this. That’s it. That’s all I’ve got.

I can’t add any more to Kai Ryssdal’s rant here. In the lead up to the election this November, do your best to stay informed.

IndieWeb Principles

I love this. Ever since the death of X/Twitter I’ve been much more focused on making sure that I control the data and content I post that means the most to me.

Own your data. Your content, your metadata, your identity.

Use and publish visible data. For humans first, machines second.

Above all, have fun. When the web took off in the 90’s people began designing personal sites with tools such as GeoCities. These spaces had Java applets, garish green background and seventeen animated GIFs. It may have been ugly and badly coded but it was fun. Keep the web weird and interesting.

Emojis as a Common Language

It’s like and, but we have developed a whole language around what these symbols mean, right? Over the course of decades. And so, if we don’t use them anymore, and everything is AI generated. If we AI generate emojis, you know, we’re not going to have a common language around them anymore. So, I wonder how many people just, kind of, default to the old emojis will just still just because they maybe understand what they mean.

Kimberly Adams isn’t wrong. People have taken emojis and integrated them into language. In some cases the emoji doesn’t equate to its actual meaning. It’s going to be interesting if that starts to fade with some of this or if it will stick around.

The Analog Web

People create these sites simply so that they exist. They are not fed to an algorithm, or informed by any trends. It is quieter and slower, meant to tether us to a more mechanical framework of the web.

This is the analog web.

I’ve mentioned it many times, but the personal site renaissance is one of my favorite things. I know they’ve existed looooong before Twitter. I go through my RSS feeds and it just feels nicer, calmer. I hope I can help contribute to it.

Edit 6/9/2024: Fixed a typo. Thanks Andrew!

Interdisciplinary Website Maker

But now-a-days, any cross-disciplinary interest is easily interpreted as a lack of specialization and dedication to craft. If you’re doing design and code, how can you be really great at either? You’re not maximizing.

I don’t think there’s anything wrong with specializing, I also don’t think there’s anything wrong with becoming a jack-of-all-trades.

Designers versus coders aside, I find it odd sometimes when people think that front end developers know no backend and vice versa. We all might be better in one area than another, but I feel like we can all contribute.

Half-Ass It

So here’s a small piece of advice, from one reformed overachiever to another (future) one: half-ass it. Pick a task, something small to start, and do it carelessly. Do half (or less) of what you would ordinarily do. Then see what happens. Consider it an experiment in which your intention is to learn, whatever the outcome. I’m betting your half-assed version is better than most people’s whole ass, but you can test that assertion yourself.

All too often people (including myself) say we’re going to do something, learn something, and then never actually do it. Doing something sloppy to learn something is often more than others do.

Don’t be afraid to admit when you don’t know something

I’ve been asked when interviewing for a front end ecommerce position how the Javascript event loop works — in detail. I told the interviewer I didn’t know, had never needed to in previous positions but was confident I could figure it out. They hired me. I’ve taken a similar tack when discussing other roles with interviewers — I don’t know, but I like to learn and I’ll figure it out. Don’t know enough React? I’ll learn. Don’t know bespoke framework/internal tool X? I’ll learn.

This is the correct mindset. Don’t try to BS through answers, people will figure it out. Learn the fundamentals and picking up new frameworks and libraries will be doable.

Start with Simple Tools

You don’t need fancy software to write. You also don’t need a £1k+ camera to take photos, the latest console to play video games, or a certificate to learn something.

I’ve seen artists use Microsoft Paint to create amazing pictures. It goes to show you don’t need fancy tools to do great things. If you’re trying something new, start with the basics and go from there.

Josh Collinsworth on CSS Gatekeeping

The question of whether CSS is a programming language serves only one purpose: to demote those who write it.

There is no confusion that needs to be clarified, and no other purpose in asking, beyond the most trivial kind of pedantry.

The debate itself is an act of gatekeeping, whether intentional or not. Its only significant effect is to elevate some work over other work, despite their essentially identical nature.

The only meaningful function of the question is segregation.

I really don’t get the whole “CSS isn’t a programming language” crowd. I see what other developers can do with CSS and am amazed. It’s something I’ve been consistently trying to improve on. The gatekeeping stuff is just BS.

Why the Short-Lived Calvin and Hobbes Is Still One of the Most Beloved & Influential Comic Strips

It took no time at all to master Garfield, but when I started getting Calvin and Hobbes, I knew I was making progress; even when I didn’t understand the words, I could still marvel at the sheer exuberance and detail of the art.

I still read Calvin & Hobbes and I’m amazed at how much more I still get out of the strips. Bits and pieces of humor, insights into life, and more still permeate the strips.

The align-content property for block layouts is now part of Baseline

There was always the running joke with how to center content. Then it became easier with CSS grid and flexbox. Now you don’t even need that.

With align-content available for block layout, you can achieve vertical alignment without needing to create a flex or grid layout for the property to work. No additional properties are needed as the item remains a block item, the only change is to the alignment.

How to Report on Trump: Tell the Truth

Reporting on Trump has been giving the media fits since he first started his presidential run in 2015. The editor for The Cleveland Plain Dealer writes about what should be obvious.

The north star here is truth. We tell the truth, even when it offends some of the people who pay us for information.

This is what journalism is supposed to be. The truth regardless of what it is.

This is not subjective. We all saw it. Plenty of leaders today try to convince the masses we did not see what we saw, but our eyes don’t deceive. (If leaders began a yearslong campaign today to convince us that the Baltimore bridge did not collapse Tuesday morning, would you ever believe them?) Trust your eyes. Trump on Jan. 6 launched the most serious threat to our system of government since the Civil War. You know that. You saw it.

The facts involving Trump are crystal clear, and as news people, we cannot pretend otherwise, as unpopular as that might be with a segment of our readers. There aren’t two sides to facts. People who say the earth is flat don’t get space on our platforms. If that offends them, so be it.

I wish more of the news media was willing to ditch the false equivalency of Trump and the GOP and focus more on the truth regardless of who it might upset.

The Quiet, Pervasive Devaluation of Frontend

But despite all these claims, CSS is also somehow “not a real programming language.” Many people online will tell you so, often quite loudly, and sometimes even using memes. Same with HTML.

Sadly I understand where Josh is coming from.

Becoming better with CSS is something I really want to do. I want to improve my skills there and slowly I think I am.

Shame on anyone who thinks that creating amazing, beautiful, and accessible layouts with HTML & CSS is “easy” or should be devalued.

Once More With Feeling: Banning TikTok Is Unconstitutional & Won’t Do Shit To Deal With Any Actual Threats

People keep saying “but they do the same to us.” That’s no excuse. We shouldn’t take a page from the Chinese censorship playbook and basically give them the moral high ground, combined with the ability to point to this move as justification for the shenanigans they’ve pulled in banning US companies from China.

If we’re doing what China is with regards to censorship, we’ve failed. This whole thing reeks of bad reasoning, and curtailing people’s speech.

Public sentiment in the US regarding China is reaching record lows, with the vast majority of Americans reasonably concerned about China’s role in the world. So if China is using TikTok to propagandize to Americans, it’s doing a shitty job of it.

Yup...

A letter to my younger self, as an accessibility advocate

It's the getting people to understand the organizational changes needed to address them that is the hard part. It's a lot of time convincing people of things that have been documented for years. It's a lot of time spent educating people on things you learned 1, 5, 10 year(s) ago

I’ve been working on a new project at work and thankfully the team is on board in making sure it’s accessible. But I’ve been on the other side of it as well. It can be hard to make people recognize the extra work to ensure accessibility is both necessary and the right thing to do.

And I’ll also admit that I haven’t always put accessibility where it needs to be and have in the past skipped out on it. I’ve been trying to make sure that’s no longer the case.

Once More With Feeling: Banning TikTok Doesn't Do Much If We Don’t Regulate Data Brokers And Pass A Privacy Law

But banning TikTok, while refusing to pass a privacy law or regulate data brokers (which traffic in significantly greater volumes of sensitive data at much greater collective scale), winds up mostly being a performative endeavor driven more by anti-competitive intent (and a desire to control the flow and scope of modern news, information and propaganda) than any desire for serious reform.

I don’t use TikTok, I don’t have an account nor, do I intend on ever creating one. But if China wants to get info on all of us, they don’t need TikTok. They can just go to a random data broker and slurp up what they have on all of us. And best of all, that’s pretty much completely legal. They can get more data than TikTok (probably) has and we’re still screwed.

But even lawmakers who sincerely believe that banning TikTok makes meaningful inroads on national security or consumer privacy generally don’t seem to understand the size and scope of the problem we’re dealing with.

That’s unfortunately so often the case in many fields when it comes to technology (and more).

← Newer Notes Older Notes →