Hacker Newsnew | past | comments | ask | show | jobs | submit | 5vforest's commentslogin

Your cited source literally says the opposite:

> While Trenton and Paterson saw spikes this year, other cities like Newark and Jersey City haven’t seen much of a change.


The `href` attribute of the visible mole could pass the data back to the server.


Oooh, that's clever. So the mole I clicked on in the author's POC was in a position that was unique to my combination of visited and non-visited sites. The evil attacker has no way of knowing that though, until I play the "game", click on the mole, and trigger a GET request with the info. Do I have that right?


Even with JS the the attacker has no way of knowing it until a user-initatied event, such as a click. But yes, in the non-JS case it must cause a full page reload, but as pointed out in a sibling thread, that could just be on a legitimate link (like, say, a link to elsewhere on the site, just passing the data in the query string).


We use Percy.io for this and can't recommend it enough. It integrates with your CI workflow, which makes a whole lot more sense to me than waiting until production. (Or to be fair, staging.)


Percy is awesome, no doubt. We're a little different than Percy though.

We don't require any code. Setup is just entering a URL. Percy doesn't really require code either, but it relies on you having already written integration tests.

We do structural diffing, not pixel diffing. Pixel diffing can be challenging to view as a developer since innocuous changes can cause massive visual pixel diffs. With structural diffing we can have a better idea of exactly what changed and highlight those regions.

We're definitely going to be integrating with CI workflows and non-production sites as well :)


Augmented it with a bit of Ruby in order to find the "SUFeedURL", which if using the `http` protocol, means that an application is vulnerable.

https://gist.github.com/ajb/876107d0edc0f2c11779


FYI, it can be stored in theoretically any key. But it's probably worth looking for SUFeedURL* at least.

  % plutil -p /Applications/iTerm.app/Contents/Info.plist| grep SUFeedURL
  "SUFeedURLForFinal" => "https://iterm2.com/appcasts/final.xml"
  "SUFeedURLForTesting" => "https://iterm2.com/appcasts/testing3.xml"


Good info! I really have no clue what I'm doing. Just trying to help coworkers figure out if they need to uninstall any apps, really :)


## The Department of Better Technology - http://www.dobt.co/ - REMOTE

Our one-sentence tagline: We are dedicated to making great software that helps governments and non-profits better serve their communities.

If you've ready some of the recent posts about US Digital Service or 18F, we're doing similar stuff, but from the outside-in, with mostly SaaS products. (Our flagship product, Screendoor: http://www.dobt.co/screendoor)

We're bootstrapped, profitable, and we'd love to find folks who are passionate about this kind of work. Stack is Rails / Postgres / JS -- nothing too fancy, but we're serious about the quality of our code. We're big on open-source, too: github.com/dobtco/

If you're interested in hearing more, email me at adam (at) dobt (dot) co


Half of the post is about how the new technique is vulnerable to clickjacking.


The google's blogpost says that 98 something percent of old text could be deciphered by AI. My point is, regardless of vulnerabilities of the new system, I am certain that it is more effective than the old alternative. They would have tested it.


Ruby Developer to Fix America Department of Better Technology Headquarters: USA http://www.dobt.co

About us

We’re the Department of Better Technology, a Knight Foundation-funded startup that’s digging into the guts of government and trying to fix it with technology.

Job Details

We're hiring a web developer to help us revolutionize the world of government IT. We started this company after being embedded inside government and seeing first-hand the horrors of the technology that these folks have to use everyday. We worked on a project called RFP-EZ that made it super simple to view and bid on government contracts. It wasn't anything amazing -- just a simple Bootstrap site, but just by making this process easier to understand for web firms who don't specialize in government contracting, we were able to save the federal government an average of 30%.

We've been in business for a just under a year, and have already created dozens of success stories - governments who are using our software to save staff time, save money, and provide better experiences for citizens. We're looking to grow our team and help us scale this success to governments across the country.

Experience

We're looking to bring on a developer who fits the following:

You are experienced in Ruby and ideally, Rails You have strong knowledge of SQL/Postgres You have a passion for good user experience and are excited about frontend development, too You are comfortable working with a 100% distributed team And last, but perhaps most important, you are as passionate as we are about our mission to revolutionize government IT

Our Culture

For many people in the technology industry, DOBT is a different kind of place to work, and a different set of people work here. Usually, they’re people who value time more than they value money. While from time to time, circumstances may call for it, you aren’t going to see a lot of 80 hour weeks, and depending on your time zone you might see some people who clock out at around 6.

You’re probably not going to be in a work environment that has a foosball table, catered lunches, and its own mass transportation either. That’s because we’re a fully remote firm. While some people may opt to work together in the same space, we want people to work from wherever they feel like it. So if you’ve always wanted to live in Japan, now’s your chance.

Diversity

DOBT is an equal opportunity employer. We will not discriminate and will take measures to ensure against discrimination in employment, recruitment, advertisements for employment, compensation, termination, upgrading, promotions, and other conditions of employment against any employee or job applicant on the bases of race, creed, color, national origin, or sex. We are committed in all areas to providing a work environment that is free from harassment.

How to apply

Fill out the form on Screendoor: https://screendoor.dobt.co/dobt/developer-hiring/ (yay for dogfooding!) Alternatively, send a note to sdp-response-hclhimz1@in.dobt.co. USA/Canada only, sorry. Recruiters and agencies will be marked as spam.


Wow. I'm surprised at how big they were able to scale, while still pushing most commits directly to master and having a test suite that took 1hr to run.


> Rails version 1.1.6 is supported in the default directory

So yes, I doubt anyone is still using GoDaddy for Rails hosting.


We're trying to make sure that Healthcare.gov never happens again.

dobt.co


Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: