Open source developer corrupts widely-used libraries, affecting tons of projects

Open source developer corrupts widely-used libraries, affecting tons of projects
The sabotaged versions produce an endless string of illegible text.

A developer appears to have purposefully corrupted a pair of open-source libraries on GitHub and software registry npm — “faker.js” and “colors.js” — that thousands of users depend on, rendering any project that contains these libraries useless.

While it looks like color.js has been updated to a working version, faker.js still appears to be affected, but the issue can be worked around by downgrading to a previous version (5.5.3).

Bleeping Computer found that the developer of these two libraries, Marak Squires, introduced a malignant commit (a file revision on GitHub) to colors.js that adds “a new American flag module,” as well as rolled out version 6.6.6 of faker.js, triggering the same destructive turn of events. The sabotaged versions cause applications to infinitely output strange letters and symbols, beginning with three lines of text that read “LIBERTY LIBERTY LIBERTY.”


The story doesn’t end there, though. Bleeping Computer dug up one of Squires’ posts on GitHub from November 2020, in which he declares he no longer wants to do free work. “Respectfully, I am no longer going to support Fortune 500s (and other smaller sized companies) with my free work,” he says. “Take this as an opportunity to send me a six figure yearly contract or fork the project and have someone else work on it.”

Squires’ bold move draws attention to the moral — and financial — dilemma of open-source development, which was likely the goal of his actions. A massive number of websites, software, and apps rely on open-source developers to create essential tools and components — all for free. It’s the same issue that results in unpaid developers working tirelessly to fix the security issues in their open-source software, like the Heartbleed scare in 2014 that affected OpenSSL and the more recent Log4Shell vulnerability found in log4j that left volunteers scrambling to fix.

This is an interesting situation, and I can see Marak move opening up a can of worms across the industry, but introducing changes that create infinite loops in software using your library just doesn’t seem a good way to go about things.

Judge orders Apple to allow external payment options for App Store by December 9th, denying stay

Judge orders Apple to allow external payment options for App Store by December 9th, denying stay
The stay is denied.

Epic v. Apple judge Yvonne Gonzalez Rogers says Apple must comply with an order to let developers add links and buttons to external payment options, denying the company’s motion for a stay. “Apple’s motion is based on a selective reading of this Court’s findings and ignores all of the findings which supported the injunction,” her new order reads.

Judge Gonzalez Rogers issued her order after a Tuesday hearing concerning the blockbuster antitrust lawsuit, which Fortnite publisher Epic Games filed in 2020 and which went to trial this year. During the hearing, Apple said it needed more time to rewrite its anti-steering policies — rules that bar app developers from linking to payment methods besides the iOS App Store.

“This will be the first time Apple has ever allowed live links in an app for digital content. It’s going to take months to figure out the engineering, economic, business, and other issues,” said Apple attorney Mark Perry. “It is exceedingly complicated. There have to be guardrails and guidelines to protect children, to protect developers, to protect consumers, to protect Apple. And they have to be written into guidelines that can be explained and enforced and applied.”


Apple says it plans to appeal to the Ninth Circuit for a stay, since it didn’t get one from Judge Gonzalez Rogers. “Apple believes no additional business changes should be required to take effect until all appeals in this case are resolved. We intend to ask the Ninth Circuit for a stay based on these circumstances,” writes an Apple spokesperson.

Apple arguing the need the time for “substantial engineering” to allow people to start adding buttons and links to outside payment methods hasn’t really been their best argument either.

Eight Things Apple Could Do to Prove It Actually Cares about App Store Users

Eight things Apple could do to prove it actually cares about App Store users
Mind the store

When you spend money in Apple’s App Store, the company generally takes a 30 percent cut — one that adds up to an estimated $19 billion per year. Apple’s currently in the fight of its life to prove to judges, government regulators, and its own developers that it deserves those dollars, but not everyone’s buying it anymore.

Over the past seven days alone, South Korea declared its disbelief on the global stage, passing a landmark bill that could keep Apple and Google from directly collecting their 30 percent cut, and may inspire other governments to do the same. Developers also expressed their rage at an Apple press release, where the company spun its agreement to settle a lawsuit for $100 million as a $100 million fund for developers — while quietly promising 30 million of those dollars to the lawyers and enacting no truly significant changes. The CEO of Hopscotch shared her story of how Apple’s App Store review team repeatedly gaslit her, insisting there was an issue with the well-liked kids coding app that didn’t actually exist.

On Wednesday, Apple made a slightly more significant concession for (big) developers, and as Nick Heer writes, the company seems to have momentarily dropped its smug tone. But we don’t need to get into complex developer negotiations to point out the head-bangingly obvious ways Apple is falling down on the job.

While the company claims the App Store is “curated by experts,” that it is “a safe and trusted place to discover and download apps,” and that it holds apps to “the highest standards for privacy, security, and content,” the company’s own emails paint a different picture. They show that Apple knew for years about the exact kind of egregious scams that bilk iPhone users out of millions of dollars, long before our report, and yet they keep failing to stop them from invading the App Store.

It bears repeating: Apple is the most valuable and profitable company in the world. The company currently makes $10,000 every second on average, $3,600 of which is profit, a large portion of which comes from the App Store itself. (The App Store alone has been a bigger business than the Mac or iPad since 2016, see #10 here.)

If Apple wanted to change this system, it could. But I expect Apple will only be dragged kicking and screaming into a world with a more functional App Store, because it seems incapable of taking the blindingly obvious steps that might better protect its users — again, despite being the most valuable and profitable company in the world.

Here are eight to start.

I’ll leave it to you to go read the 8 things but I agree with all 8, Apple needs to do some damage control and build better relations.

Facebook shouldn’t be allowed to buy Giphy, says UK regulator

Facebook shouldn’t be allowed to buy Giphy, says UK regulator
Facebook’s deal to buy the GIF search engine Giphy should be unwound due to competition concerns, according to the UK’s Competition and Markets Authority.

15 months ago, Facebook said it was buying the popular GIF search engine Giphy for about $400 million. Now the acquisition may be a bust, thanks to an antitrust probe by the UK’s Competition and Markets Authority.

In a preliminary findings report published Thursday, the CMA said the deal should be unwound because it will “negatively impact competition between social media platforms.”

The CMA’s reasoning for wanting to block the Giphy deal is as follows:

“Millions of posts every day on social media sites now include a GIF. Any reduction in the choice or quality of these GIFs could significantly affect how people use these sites and whether or not they switch to a different platform, such as Facebook. As most major social media sites that compete with Facebook use Giphy GIFs, and there is only one other large provider of GIFs – Google’s Tenor – these platforms have very little choice.

The CMA provisionally found that Facebook’s ownership of Giphy could lead it to deny other platforms access to its GIFs. Alternatively, it could change the terms of this access – for example, Facebook could require Giphy customers, such as TikTok, Twitter and Snapchat, to provide more user data in order to access Giphy GIFs. Such actions could increase Facebook’s market power, which is already significant.”

Putting aside the logic that someone would switch to using Facebook because of GIFs (I love GIFs as much as the next person, but come on), the CMA argues that Giphy was in the process of building up an ads business that would have competed with Facebook. It claims that Facebook made Giphy end those plans after it announced the deal, thereby reducing competition in the marketplace.

Facebook has refuted this idea in past submissions to the CMA, citing internal documents it and Giphy both submitted to the agency for the probe. In May, Facebook wrote in a filing to the watchdog that Giphy had “no meaningful audience of its own” and was already “reliant on Facebook for a significant proportion of its user traffic.”


Whether Facebook is allowed to buy Giphy or not, the scrutiny on this deal shows how Facebook’s era of social media-related acquisitions may be over. Its more recent $1 billion acquisition attempt for Kustomer, a customer service platform for businesses, is under antitrust review in multiple countries and could also be blocked. The only types of acquisitions that Facebook has been able to get away with in the last few years are related to its augmented and virtual reality efforts.

Drew Devault: “In praise of PostgreSQL”

Drew Devault:

After 25 years of persistence, and a better logo design, Postgres stands today as one of the most significant pillars of profound achievement in free software, alongside the likes of Linux and Firefox. PostgreSQL has taken a complex problem and solved it to such an effective degree that all of its competitors are essentially obsolete, perhaps with the exception of SQLite.

For a start, Postgres is simply an incredibly powerful, robust, and reliable piece of software, providing the best implementation of SQL.2 It provides a great deal of insight into its own behavior, and allows the experienced operator to fine-tune it to achieve optimal performance.

It supports a broad set of SQL features and data types, with which I have always been able to efficiently store and retrieve my data. SQL is usually the #1 bottleneck in web applications, and Postgres does an excellent job of providing you with the tools necessary to manage that bottleneck.

Fish and Brewis

Fish and Brewis is a favourite traditional dish from Newfoundland (my home province), it’s a dish that combines Fish, Potatoes, pork, Hardtack, onions, butter and salt.

What you need

  • 4 loaves hard bread
  • 2 lbs cod fish
  • 6 -8 potatoes
  • 1 cup salt pork (or pork belly), finely diced
  • 2 cups onions, diced
  • 1⁄4 cup butter
  • 2 medium onions, chopped
  • 2 tablespoons flour
  • 1 cup water
  • Hardtack:
    • 4 -5 cups flour
    • 2 cups water
    • 3 teaspoons salt

How to make it:

We’ll start with the hardtack as that has to be made first:

  1. Mix the flour, water and salt together, and make sure the mixture is fairly dry.
  2. Roll it out to about 1/2 inch thickness, and shape it into a rectangle.
  3. Cut it into 3×3 inch squares, and poke holes in both sides.
  4. Place on an un-greased cookie or baking sheet, and cook for 30 minutes per side at 375
  5. When it’s done, you’ll want to let it dry and harden for a few days, just out in the open. When it has the consistency of a brick, it’s fully cured. Then simply store it in an airtight container or bucket.

To prepare for eating, soak it in water or milk for about 15 minutes, and then fry in a buttered skillet. You can eat it with cheese, soup or just plain with a little salt added. Any way you do it, it’s delicious!

Now, let’s make the rest:

  1. Soak hardtack overnight in cold water
  2. Soak cod overnight in large pot of water as well.
  3. In the morning, drain cod water and soak with fresh water.
  4. Once you are ready to cook, place potatoes in the same pot as the cod and simmer gently until cooked
  5. Remove from heat and drain.
  6. Heat hardtack slowly until it comes to a boil and drain.
  7. There are two toppings with Fish and Brewis: Drawn butter and Scrunchins
  8. Drawn Butter:
    1. Melt butter
    2. Add onions and fry until soft
    3. Add Water, bring to a boil and then add flour to thicken.
  9. Scrunchins:
    1. Place salt pork (or pork belly) in frying pan.
    2. Heat over medium heat until grease is drawn from the salt pork.
    3. Add onions and then cook until tender.
  10. Serve and enjoy.

Google will require employees to be vaccinated before returning to offices

Google will require employees to be vaccinated before returning to offices
Starting with US workers “in the coming weeks.”

Google will require that employees be vaccinated before they’re allowed to return to the company’s offices, CEO Sundar Pichai announced today in a letter obtained by The New York Times.

The announcement marks Google as one of the first major technology companies to require that employees be vaccinated before they return to work. The news comes as part of a new wave of vaccination requirements this week, spurred by the Biden administration reportedly planning to announce a requirement for federal workers to either be vaccinated or face frequent testing for COVID-19 sometime on Thursday.

Google’s vaccination requirement will reportedly apply to workers at US offices “in the coming weeks” and to other regions “in the coming months,” per the NYT.

Additionally, Google will be delaying its official return to offices from sometime in September to October 18th, as the Delta variant of COVID-19 continues to spike across the United States. It joins Apple, which also postponed the end of its remote working policy to “October at the earliest” over similar COVID concerns.

This isn’t really a surprise, it’s really only a matter of time before other companies follow the same decision before going back to offices.

Careful with WiFi names on your iPhone.

A few weeks ago, Schou and his not-for-profit group, Secret Club, which reverse-engineers software for research purposes, found that if an iPhone connected to a network with the SSiD name %p%s%s%s%s%n it would cause a bug in iOS’ networking stack that would disable its Wi-Fi, and system networking features like AirDrop would become unusable.

A possible explanation for this bug from 9to5 Mac:

the ‘%[character]’ syntax is commonly used in programming languages to format variables into an output string. In C, the ‘%n’ specifier means to save the number of characters written into the format string out to a variable passed to the string format function.

The Wi-Fi subsystem probably passes the Wi-Fi network name (SSID) unsanitized to some internal library that is performing string formatting, which in turn causes an arbitrary memory write and buffer overflow.

This will lead to memory corruption and the iOS watchdog will kill the process, hence effectively disabling Wi-Fi for the user.

Basecamp’s crazy week…

First, Casey Newton broke the news on some controversy from Basecamp that happened due to a list:

The controversy that embroiled enterprise software maker Basecamp this week began more than a decade ago, with a simple list of customers.

Around 2009, Basecamp customer service representatives began keeping a list of names that they found funny. More than a decade later, current employees were so mortified by the practice that none of them would give me a single example of a name on the list. One invoked the sorts of names Bart Simpson used to use when prank calling Moe the Bartender: Amanda Hugginkiss, Seymour Butz, Mike Rotch.

Many of the names were of American or European origin. But others were Asian, or African, and eventually the list — titled “Best Names Ever” — began to make people uncomfortable. What once had felt like an innocent way to blow off steam, amid the ongoing cultural reckoning over speech and corporate responsibility, increasingly looked inappropriate, and often racist.

Discussion about the list and how the company ought to hold itself accountable for creating it led directly to CEO Jason Fried announcing Tuesday that Basecamp would ban employees from holding “societal and political discussions” on the company’s internal chat forums. The move, which has sparked widespread discussion in Silicon Valley, follows a similar move from cryptocurrency company Coinbase last year.

Fried’s memo was revised and updated several times; co-founder David Heinemeier Hansson followed with one of his own. Together, they are two of the most outspoken leaders in the entire tech industry on issues related to company culture, remote work, and collaboration. The company has published five books on work culture, one of which was a New York Times bestseller.

But both of their posts avoided discussing the actual series of events that had led up to the policies, which were related directly to the workplace. In fact, the events all took place on Basecamp’s own software, which it sells to other companies on the promise of improving cohesion and reducing stress in the workplace.

Employees say the founders’ memos unfairly depicted their workplace as being riven by partisan politics, when in fact the main source of the discussion had always been Basecamp itself.

“At least in my experience, it has always been centered on what is happening at Basecamp,” said one employee — who, like most of those I spoke with today, requested anonymity so as to freely discuss internal deliberations. “What is being done at Basecamp? What is being said at Basecamp? And how it is affecting individuals? It has never been big political discussions, like ‘the postal service should be disbanded,’ or ‘I don’t like Amy Klobuchar.’”


Basecamp employees are encouraged to discuss the company’s own political positions — or, perhaps more accurately, the founders’ political positions — as much as they like. Keeping track of which issues of the moment are up for discussion thus becomes one more chunk of mental overhead for employees who are already struggling.

Hansson told me that the rules are not draconian — no one is going to be bounced out the door for occasionally straying out of bounds. The founders’ goal is to reset the culture and focus on making products, he said, not to purge political partisans from the workforce.

But to employees, the move was received more as a shift to willful ignorance — about the world around them, and about the lived experiences of the employees who occupied it.

“There’s always been this kind of unwritten rule at Basecamp that the company basically exists for David and Jason’s enjoyment,” one employee told me. “At the end of the day, they are not interested in seeing things in their work timeline that make them uncomfortable, or distracts them from what they’re interested in. And this is the culmination of that.”

DHH’s own post has some interesting takes as well:

Casey’s reporting for The Verge brought some of the dirty laundry that helped motivate our change of directionregarding societal politics at Basecamp onto the public record. It erased part of that fine line we try to toe between sharing as much of the inner workings at the company as possible while respecting the confidentiality of employees, internal deliberations, and heated discussions. That’s why we didn’t include it in the public announcements in the first place. It’s difficult to retain good working relationships if you’re concerned about what might be turned into a story or not.

At the same time, leaks of all kinds have brought serious issues to light in the industry. And investigative reporters are not only completely within their right to cultivate and use such leaks, I’d say they’re obligated to do it! So it’s only right and fair that when this is turned at Basecamp, at least when evaluating the reporting, we take it on the chin.

Either way, now that particularly the incident regarding the Best Names List (read Casey’s piece for his reporting based on employee leaks) is on the public record, I think it’s also only right and fair to share our internal response, as well as the specific comment that ended up being reported to HR. Then it’s out there for anyone to consider for themselves.


So if that is something you want, I continue to believe that a diverse workforce _should_ be something that you want, you have to consider what guardrails to put on the internal discourse. My belief is that the key to working with other people of different ideological persuasions is to find common cause in the work, in the relations with customers, in the good we can do in the industry. Not to repeatedly seek out all the hard edges where we differ. Those explorations are better left to the smaller groups, to discussions outside of the company-wide stage, and between willing participants.

I respect that others will come to different conclusions on all of these questions. Particularly around whether the new direction we’ve set at Basecamp, where these societal political questions unrelated to work are being moved from company workspaces to private employee channels, is incompatible with what they want out of a company. We all have our principles, and I will always respect people who are willing to follow theirs.

Yesterday, we offered everyone at Basecamp an option of a severance package worth up to six months salary for those who’ve been with the company over three years, and three months salary for those at the company less than that. No hard feelings, no questions asked. For those who cannot see a future at Basecamp under this new direction, we’ll help them in every which way we can to land somewhere else.

These are really hard questions. I’ve been inundated with emails from executives and employees who are wrestling with them at their companies. I hope that the airing of our dirty laundry, and the shitstorm its caused, can help others answer their own questions better. Whatever the answer they deem right for them.

It’s also a really hard time. We’ve always been a remote company, but we’ve never gone a year and a half without seeing each other. Normally, we’d all have met up thrice during this time to recharge, reconnect, and rehumanize. Add to that all the stress from the pandemic, from those societal politics, from, well, everything we’ve been through recently, and it’s no wonder that everyone is extra vulnerable, extra quick to jump to conclusions, extra likely to escalate. We’re human and that’s a human response.

At Basecamp, it’s going to be a tough transition. We’ve committed to a deeply controversial stance, some employees are relieved, others are infuriated, and that pretty well describes much of the public debate around this too. But this too shall pass. We’ve been in business for over twenty years. Been through a myriad of controversies and challenges, and we’ll be through this too.

You’ll have to read the full posts for yourself to really decide what side you want to see. I think that in the end, Basecamp just needs to follow their own advice, as they said in chapter 87 of their book Getting Real:

When you rock the boat, there will be waves. After you introduce a new feature, change a policy, or remove something, knee-jerk reactions, often negative, will pour in.

Resist the urge to panic or rapidly change things in response. Passions flare in the beginning. But if you ride out this initial 24-48 hour period, things will usually settle down. Most people respond before they’ve really dug in and used whatever you’ve added (or gotten along with what you’ve removed). So sit back, take it all in, and don’t make a move until some time has passed. Then you’ll be able to offer a more reasoned response.

Is Heroku Still Relevant?

The decline of Heroku
Even Heroku’s founders recognize that the revolutionary web development platform has run out of steam. How did Heroku lose its magic, and could a new, modern Heroku revive the PaaS?

Heroku has long been held up as the gold-standard platform as a service (PaaS) for software developers to easily deploy their code without having to worry about the underlying infrastructure, while others see it as akin to a magical fallen civilization with a limited future.

“The history of IT is littered with platforms people thought were fantastic that don’t exist anymore,” said James Governor, a founder of the developer-focused analyst firm RedMonk. “It had a good run and a huge influence, but nothing lasts forever.”

Founded in 2007 by three Ruby developers—James Lindenbaum, Adam Wiggins, and Orion Henry—Heroku was bought just three years later, when the SaaS giant Salesforce eventually beat out VMware to pick the company up for $212 million when it still had only 30 people on staff and supported only the Ruby programming language.


“The next big thing for Heroku is the deep integration of its capabilities with the rest of the Salesforce Platform via Salesforce Functions,” a Salesforce spokesperson said. Salesforce Functions “lets developers write code that integrates with their data and events on the Salesforce Platform, then run it on-demand with elastic scale in a serverless environment.”

If serverless were to become the next industry standard, there is certainly an opportunity there for Heroku to reshape itself for that next wave of change. “I would leapfrog microservices for serverless if I did this again today,” said PensionBee’s Lister Parsons. “Serverless could be the ‘phoenix from the ashes’ moment for Heroku.”

I still use Heroku for some projects but it’s usage is getting less and less.