DuckDuckGo's favicon (mis)management leaks user privacy for 2+ years

Turns out DDG has been using a favicon proxy since 2018 that effectively sends all websites users visit in the app to their servers. This was first reported a year ago and shrugged off (and closed) by them because they aren’t keeping any of those requests.

At DuckDuckGo, we do not collect or share personal information. That’s our privacy policy in a nutshell. – tagawa

The issue sat dormant until it resurfaced yesterday when many other users stated their concern with the naive server-side implementation:

Yes, we already trust DDG, but only because we have to trust someone and others have proved to be untrustworthy. The issue isn’t about whether the user trusts DDG, it’s about minimizing the need for trust and maximizing the ability to verify privacy. Please consider reopening this issue. – svenssonaxel

It was suggested that this feature could/should be handled on-device and this comment on Hacker News points to Mozilla’s open source implementation that does just that. Finally, DDG’s CEO Gabriel Weinberg woke up (literally) and committed to changing the implementation.

All’s well that ends well?


Super Productivity – To-do list & time tracker for programmers

Organize your daily tasks at one place while making time tracking a lot less annoying. Super Productivity is a ToDo List / Time Tracker / Personal Jira Task Manager for Linux, MacOS and Windows aimed at reducing the time you spend with repetitive tasks and to provide you with a place to collect all the information you need to do your job.

This is a bit too much engineering for me, but perhaps you’ll like it.

Super Productivity – To-do list & time tracker for programmers

Zach Leatherman

Use Speedlify to continuously measure site performance

Zach Leatherman:

Instantaneous measurement is a good first step. But how do we ensure that the site maintains good performance and best practices when deploys are happening every day? How do we keep the web site fast? The second step is continuous measurement. This is where Speedlify comes in. It’s an Eleventy-generated web site published as an open source repository to help automate continuous performance measurements.

Demo here.

Use Speedlify to continuously measure site performance


Worrying about the npm ecosystem

Sam Bleckley:

The npm ecosystem seems unwell. If you are concerned with security, reliability, or long-term maintenance, it is almost impossible to pick a suitable package to use — both because there are 1.3 million packages available, and even if you find one that is well documented and maintained, it might depend on hundreds of other packages, with dependency trees stretching ten or more levels deep — as one developer, it’s impossible to validate them all.

He then spends some time measuring the extent of the problem.

Salvatore Sanfilippo

Antirez steps down as Redis maintainer

Salvatore Sanfilippo:

So, dear Redis community, today I’m stepping back as the Redis maintainer. My new position will be, on one side, an “ideas” person at Redis Labs, in order to provide inputs for new Redis possibilities: I’ll continue to be part of the Redis Labs advisory board. On the other hand however my hands will be free, and I’ll do something else, that could be writing code or not, who knows, I don’t want to make plans for now. However I’m very skeptical about me not writing more code in the future. It’s just too much fun :D

Thank you, Salvatore, for your many years of work on one of my favorite pieces of software.


How to use YouTube to learn tacit knowledge

This article isn’t about software development, per se, though there is a section on learning programming. Instead, it’s about YouTube itself and how it’s become an amazing platform for knowledge transfer.

In this piece, we’re going to walk through a number of ways you may use YouTube for tacit knowledge acquisition, on a domain-by-domain basis. I’m afraid the anecdotes here are necessarily domain-specific, but the purpose of this piece is to give you certain patterns that you may adapt to whatever skillset you want to acquire in whatever domain you’re interested in.

It’s a shame that a thing as valuable to humanity as YouTube is owned by a single corporate entity. This makes me appreciate Wikipedia even more…

Tanya Janca

Where can we learn threat modelling?

The linked post is Tanya Janca advising on where (and how) you can learn threat modelling for yourself. What’s threat modelling?

… a process by which potential threats, such as structural vulnerabilities or the absence of appropriate safeguards, can be identified, enumerated, and mitigations can be prioritized.

See also: Matrin Fowler’s guide to threat modelling for developers.

Paul Orlando

On unintended consequences

Paul Orlando’s writings on second-order effects:

To understand the world you should think about systems, complexity, and causes of unintended consequences. We don’t do that enough.

I focus my writing on the study of these topics, frameworks to evaluate decisions, and bringing together people with these interests. Subscribe and read it via email since I include other content there.

I subscribed. This has been a recurring theme in a couple of our recent conversations on The Changelog. Here’s a clip of Jessica Kerr and myself riffing on the subject.


LEGO blocks and organ transplants

This post is so brief that I’ll just quote it in its entirety for you:

People have been comparing software components to LEGO blocks for a couple decades. We should be able to assemble applications by snapping together modular components, just like LEGOs. There has been progress, but for the most part we haven’t realized the promise LEGO-style software development.

Integrating two software systems is usually more like performing a heart transplant than snapping together LEGO blocks. It can be done—if there’s a close enough match and the people doing it have enough skill—but the pieces don’t fit together trivially. And failure may not be immediately obvious; it may take a while to see signs of rejection.

Just as true today as it was when John wrote it in 2011.

Practical AI Practical AI #94

Operationalizing ML/AI with MemSQL

A lot of effort is put into the training of AI models, but, for those of us that actually want to run AI models in production, performance and scaling quickly become blockers. Nikita from MemSQL joins us to talk about how people are integrating ML/AI inference at scale into existing SQL-based workflows. He also touches on how model features and raw files can be managed and integrated with distributed databases.

Nabeel Qureshi

Video games are the future of education

Nabeel shares some great insights about using games/simulations for learning in this post — I recommend reading it if the topic piques your interest (always be learning, amirite?).

Learning is just the act of engaging with an external thing and performing many conjecture/criticism loops, forming conclusions, and building on them to form a body of knowledge.

So it makes sense that video games would be the primary educational environment of the future: they are the best way we have of (a) creating simulations of reality (b) with fast feedback loops (c) accessible at low cost.

Video games are the future of education

Julia Evans

A little bit of plain JavaScript can do a lot

Julia Evans:

I was pretty surprised by how much I could get done with just plain JS. I ended up writing about 50 lines of JS to do everything I wanted to do, plus a bit extra to collect some anonymous metrics about what folks were learning.

Listeners of JS Party know I’m an advocate for JavaScript sprinkles. Not on every site, but on most sites I think that’s the best way to start out.

Now more than ever, you can get a lot done with what’s right there in the browser. Wait until you feel the pain before you solve the problem. Who knows, maybe you’ll never have to…

0:00 / 0:00