500 Million
No, not dollars, which while an almost staggering amount for most humans to even contemplate is barely chump change for Facebook–500 million phone numbers, and other important identifying information about their users, leaked.
Somehow the phone number part seems to impact people more than the leak of email addresses, an almost routine occurrence it would seem. Were you impacted? If you’ve not yet done to, head to the amazing Have I Been Pwned? (run by Australian and past Web Directions speaker Troy Hunt) and find out if your number or email have ever been compromised (he’s amassed a database of billions of leaks you can search, and even set up alerts for when your credentials are part of a leak). You canals find out what other accounts at online services going back over years you’ve had compromised while you are at it.
The Facebook phone number leak is galling, infuriating, depressing, above all because Facebook started asking users for their phone number to (ostensibly) provide additional security by using text messages as a second factor in authenticating users. And then started using these numbers as an additional channel for keeping users engaged with their platform.
So in theory they only had these numbers to protect your security. We also covered why SMS for 2 Factor Authentication (2FA) is really not a great idea in a recent weekly post.
Frankly, our entire industry has, on the whole, for far too long, treated privacy, security, (and accessibility while we’re at it), indeed anything that looks like a cost as something to be complied with as inexpensively as possible. If not ignored entirely.
Meanwhile Facebook has shrugged off one of the largest leaks in history (it’s listed in the top 5 by number at Have I Been Pwned), with little press coverage, and seeming no impact on their share price.
So this week I thought I’d focus a little on privacy and security. Because we have to do better.
Troy Hunt Bought CoinHive.com
Troy Hunt, mentioned above, security and privacy legend, published this long but legitimate piece on April 1st about buying the coinhive.com domain. Coinhive was a site that allowed you to [archived version] “Monetize Your Business With Your Users’ CPU Power”
Continues Troy
So, instead of serving ads you put a JavaScript based cryptominer on your victi… sorry – visitors – browsers then whilst they’re sitting there reading your content, you’re harvesting Monero coin on their machine. They’re paying for the CPU cycles to put money into your pocket – ingenious! But there were two massive problems with this and the first one is probably obvious: it’s a sleazy business model that (usually unknowingly) exploits people’s electricity bills for the personal gain of the site operator. It might only be exploiting them a little bit (how much power can an in-browser JS cryptominer really draw?), but it still feels super shady. The second problem is that due to the anonymous nature of cryptocurrency, every hacker and their dog wanted to put Coinhive on any sites they were able to run their own arbitrary JavaScript on.
I Now Own the Coinhive Domain
Set aside a few minutes and read the whole thing. I’ve rarely if ever seen a better explanation of so many security challenges, and some of the things, like Content Security Policy we can use as developers to help protect our sites (and our users). More on all this at an upcoming conference we’ll be announcing very soon.
5 ways to prevent code injection in JavaScript and Node.js
Liran Tal, from security focussed startup Snyk recently posted this article. Some things most developers probably know and practice (like not using eval()
!) but much more as well.
Defensive JavaScript
In a similar vein, Defensive JavaScript, by Mike Samuel is about “How to write code that doesn’t do what it oughtn’t.”
Sometimes we developers are asked to wear many different hats. I’ve felt like I needed to be a graphic designer to craft CSS, an anthropologist when dealing with forty languages worth of I18N/L10N, or a detective when piecing together logs and git history to find a heisenbug in legacy code.
Rather than asking you to wear yet another hat, here are a few approaches I take when wearing my security engineer hat that might help you write code that you and your friendly, neighbourhood blue teamers can have confidence in.
Mike Samuel, Defensive JavaScript
To sharpen your skills, Mike finishes with “Puzzling towards security”, a video series where he presents a series of JS related capture-the-flag style puzzles.
Meanwhile in Accessibility news
In keeping with our theme, of treating responsibilities to our users as costs to be minimised or eliminated (when they can’t simply be ignored), it’s 2021 and companies are still contesting the legal accessibility requirements that legislation like the Americans With Disabilities Act mandate, and only this week a US appeals court, going against many years of decisions in the US and elsewhere
vacate[d] a federal judge’s decision that the Winn-Dixie supermarket chain’s website violated the Americans With Disabilities Act by being inaccessible to visually impaired people who use screen-reader software
Courthouse News Service
The court’s reasoning was that The Americans With Disabilities Act “listed types of locations [that] are tangible, physical places. No intangible places or spaces, such as websites, are listed”. And so the court reasoned, the Act does not apply to Web sites.
One can only imagine the cost of this action to the supermarket chain–without doubt many many times the cost of meeting the needs of their users with visual disabilities. No, this was an act of “principle”.
Despite the fact this supermarket chain, along with every other business that runs whole or in part on the Web has benefitted extraordinarily from the existence of that World Wide (emphasise mine) Web–one of the founding principles of which is access to all, regardless of disabilities.
The World Wide Web is an extraordinary gift to the world. Tim Berners-Lee, Robert Cailliau, and others involved in the early development of the Web worked diligently to have CERN, which, by virtue of being their employer, owned the intellectual property of the Web, release it into the public domain, for the entire world to benefit from. As Berners-Lee tweeted during the opening of the London Olympic Games, “this is for everyone” (not “This is for corporations to vastly enrich themselves while avoiding any responsibility to their customers”.)
Sadly relying on the good will and decency of many organisations to live up to their side of the bargain is too much to expect.
We have to do better.
In 2022 we have a whole series of events for Front End Developers
Across 2022 Web Directions is presenting our series of online conferences for front end designers and developers. Focussed deep dives, they go far beyond what you might expect from conference programs.
Priced individually from $195, or attend all 6, plus get access to our conference presentation platform Conffab for just $595, or $59 a month.
Great reading, every weekend.
We round up the best writing about the web and send it your way each Friday.