read

· · to read
Tech Ethics New Year’s Resolution: Don’t Build Software You Will Regret by Jennifer Riggins
we should be working not just to pay the bills, but to make sure we don’t create software that we will one day regret.

In the web accessibility space, we talk a lot about how everyone has a role to play when it comes to accessibility. We’ve been talking about this for a very long time, and I’m glad to see the idea that when it comes to cross-disciplinary things like ethics, it’s not just one person’s responsibility. Accessibility, at its core, is an ethics issue, and I think that, just as accessibility as a part needs a good business case to support it, tech ethics as a whole will need that too. Right now we’re still in the beginning stages of considering tech ethics as a whole, so we’re not to the part yet where the business case for it, or even the general idea of a business case, is being considered. But I suspect we’ll get there soon enough.

read

· · to read
New 5.0 Target Date
Based on the stability, testing, and reports on the release candidates for WordPress 5.0 so far, we are now targeting Thursday December 6th for public release and announcement. 5.0.1 will open for commits soon, and will be an area people can choose to focus on at the contributor day at WordCamp US ...

For those of you who are reading this in your inbox, the context for this post is the recently-published, (as in yesterday), target release date for WordPress 5.0, which rolls out the new Gutenberg editor. I’d like to say I’m surprised by this, but I’m just not. I find myself asking a few questions: First, I find it very difficult to believe that a piece of software that is being released with known, significant issues, (up to and including significant accessibility issues, and no, that doesn’t just apply to assistive technology users), can be declared stable enough for release. Accessibility problems, just by themselves, are bugs. Well, they are if you claim to consider accessibility a priority. Next, if the plan was to release the Thursday before WordCamp US, (and I have to concur with those who believe it has been), what was the point of all those one-on-one office hours? How is anyone in the WordPress community supposed to believe that Matt is dealing in good faith when he has apparently convinced himself of the superiority of his own definition of quality and stability, and that his cause is so right and so perfect that it’s worth literally sneaking a major release out the door while everyone is traveling to WordCamp US? I am not opposed to the concept of Gutenberg, and I never have been. I know the current editor is not perfect, and that it can be improved. But this whole thing wreaks of fanaticism, arrogance, dishonesty, a complete disregard for any standard definitions of quality control, (there’s no way, absolutely none, that enough time for actual testing, complete with stress cases, could have been performed between RC 2 and RC 3, and that’s not even counting RC 1), a complete disregard for those of us who work with WordPress users outside of what is apparently a hermetically sealed bubble of perfection in which Matt lives, and the day-to-day experience that has informed our comments since day one, along with a healthy dose of hope as a strategy when it comes to Gutenberg. The question and answer session at this weekend’s State of the Word address is going to get interesting, as is the dev chat this Wednesday.

read

· · to read
Prototypes and production
Don’t build prototypes with a production mindset. Don’t release prototype code into production.

I don’t think I’m too far off base to suggest that so many of the problems we face on the web could be avoided if the prototype mindset discussed in this article were limited to the prototype phase by developers and designers, and kept completely separate from the production process.

read

· · to read
XSS in hidden input fields
At PortSwigger, we regularly run pre-release builds of Burp Suite against an internal testbed of popular web applications to make sure it's behaving properly. Whilst doing this recently, Liam found a

I can absolutely see a case where users would interact, and and therefore become vulnerable to this exploit: Keyboard-only users, screen reader users, and speech recognition users. So this might be worth looking into, especially if you’re adding a ton of keyboard shortcuts to your app and calling it an accessibility improvement.

read

· · to read
( )

This is a good read regarding the event-stream ongoing saga, and I agree with it, but I also have some things to add to it. For those of you who may not be familiar, (non-developers), event-stream was pulled from Node Package Manager, (something that gets used pretty frequently when building software in order to manage dependencies, otherwise known as other code bits you need in order to run/build your code bit), because it relied on another package which was found to have vulnerabilities. It was then handed over to someone else, who promptly added a cryptocurrency iner to it, at which point the internets freaked out. Frankly I don’t completely blame the new maintainer for adding the cryptocurrency miner. There are very large corporations who have no problem using open source software for their benefit, all while not supporting the maintainers. See for example: Apple and Microsoft. And if you can’t be relied on to hit that donate button, well then we’ll just use your processing power because eating habbits need to be supported. I’d like to add to the post I’m linking to though that, while I think code does need to be simpler and thus easier to understand, I also think maybe we need to simplify our build processes. But back to the “understanding” point, reading code is a learned skill, and I think to a certain extent it’s on the users, (and in this case the users are developers), to learn how to read code. As much as I’d like code to be simpler, outside of everyone who writes code taking courses/reading books on best practice and then applying all that, I don’t see this happening.

read

· · to read
Playboy.com Sued by Man Alleging Website Not Accessible to the Blind
Playboy.com sued by man claiming website is not accessible to visually impaired.

I’m trying to decide if TMZ counts as accessibility hitting the mainstream or not. Also, someone should let them know that, (while Playboy Magazine has been available as part of the National Library Service for the Blind and Visually Handicapped for decades), in both braille and audio formats, blind people do not read Playboy for the articles. Some blind people are avid consumers of adult entertainment just as some sighted people are. Also, dear Playboy, if Pornhub can figure out how to make their entire site accessible while preserving its nature and content, you can too.

read

· · to read
( )

I’m glad to see that WCAG 2.1 is being adopted so quickly. It was released on June 5, 2018, WCAG 2.0 took a while to be adopted as the standard. 2.1 does a lot to address the needs of not only people with disabilities, but also people who are older, (sorry screen reader users, it’s not just about us and it never has been), and I’m pleased to see that we didn’t have to wait two years to see it adopted. I’m also glad the National Federation of the Blind resorted to structured negotiation and not a lawsuit, and would like to see more campaigning in the organization’s ranks for this approach.

read
· · to read
5th Annual Hacktoberfest Kicks Off Today, Updated Rules Require 5 Pull Requests to Earn a T-shirt
DigitalOcean, along with GitHub and new partner Twilio, are sponsoring the 5th annual Hacktoberfest. The event was created to encourage participants to make meaningful contributions to open source …

I’m wondering if @DictationBridge has any issues that need pull requests. I’m also wondering if pull requests on docs count. I should check the rules because a limited edition Hacktoberfest t-shirt would be nice to add to the collection.

read
· · to read
Cryptology and Physical Security: Rights Amplification in Master-Keyed Mechanical Locks by Matt Blaze
This paper examines mechanical lock security from the perspective of computer science and cryptology. We focus on new and practical attacks for amplifying rights in mechanical pin tumbler locks. Given access to a single master-keyed lock and its associated key, a procedure is given that allows discovery and creation of a working master key for the system. No special skill or equipment, beyond a small number of blank keys and a metal file, is required, and the attacker need engage in no suspicious behavior at the lock’s location. Countermeasures are also described that may provide limited protection under certain circumstances. We conclude with directions for research in this area and the suggestion that mechanical locks are worthy objects for study and scrutiny.